wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	NPE (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	NPE (1).exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9402.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD93DC.tmp	important.exe

Loads dropped DLL 64 IoCs

pid	Process
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
2020	taskhsvc.exe
5824	NPE (1).exe
5824	NPE (1).exe
4084	MBAMInstallerService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
4524	MBAMService.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
5668	mbamtray.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
4568	mbam.exe
5668	mbamtray.exe
4568	mbam.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
840	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\isljbgsxj479 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMInstallerService.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\F:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\F:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
238	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	important.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\MenuItem.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\TextArea.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.inf	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\CalendarUtils.js	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Frame.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\qtquickcontrols2fusionstyleplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\qml\ColorSlider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-libraryloader-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\StackViewDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Dialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\GroupBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\MenuSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\ArwControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll	MBAMInstallerService.exe
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbshlext.dll	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\GaugeStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\MenuStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\ApplicationWindow.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-rtlsupport-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Network.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\HandleStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\TabViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbshlext_proto	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\RadioDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\Popup.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\ToolSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\qtquick2plugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-processenvironment-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-multibyte-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Page.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\HandleStyleHelper.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Flat\qtquickextrasflatplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\ProgressBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\window_border.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\qml\IconGlyph.qml	MBAMInstallerService.exe
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware\MBAMCore.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ToggleButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\CheckBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\StackView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\ucrtbase.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\ToolMenuButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\SystemPaletteSingleton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\Dial.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\GroupBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\button_down.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\SwipeView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\CheckDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Pane.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ProgressBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\SpinBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\SwitchIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\BasicTableView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_fi.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-datetime-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\information.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\ScrollIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Dialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\ButtonPanel.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\RangeSlider.qml	MBAMInstallerService.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\logs\scecomp.log	MBAMService.exe
File created	C:\Windows\rescache\_merged\1910676589\227395627.pri	compattelrunner.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NPE (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	NPE (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	werfault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	werfault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	werfault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	NPE (1).exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	NPE (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	werfault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	NPE (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	NPE (1).exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	werfault.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\wsdapi.dll,-200 = "Trusted Devices"	certutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoftWindows.Client.CBS_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.XGpuEjectDialog_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.creddialoghost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\CertCA.dll,-304 = "Endorsement Key Trusted Root Certification Authorities"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\CertCA.dll,-305 = "Endorsement Key Intermediate Certification Authorities"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\AppxPackaging.dll,-1001 = "Trusted Packaged App Installation Authorities"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.ECApp_8wekyb3d8bbwe%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MBAMService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A3E14F0-01F5-492E-AA97-3D880941D814}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{929A5C6C-42D7-4248-9533-03C32165691F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18C5830A-FF78-4172-9DFB-E4016D1C1F31}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0CEAFA7-4F65-418C-8A61-92B2048115EE}\ = "ICloudControllerV3"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5201562-332D-4385-87E7-2BB41B1694AA}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1F1EB48-7803-4D84-B07F-255FE87083F4}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D448EF3-7261-4C0C-909C-6D56043C259D}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04F8CDB5-1E26-491C-8602-D2ADE2D8E17A}\ = "IMinimalScanParameters"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5201562-332D-4385-87E7-2BB41B1694AA}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA248A19-F84E-4407-ADD3-8563AFD81269}\ = "IArwControllerV2"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49207D05-5DFE-4F52-9286-1856A92A5BFE}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18C5830A-FF78-4172-9DFB-E4016D1C1F31}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A34647B-D9A8-40D9-B563-F9461E98030E}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB82CDC6-F12A-4156-8DBF-EC7465B9C0B9}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503084FD-0743-46C7-833F-D0057E8AC505}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1E6E99C-9728-4244-9570-215B400D226D}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5186B66-AE3D-4EC4-B9F5-67EC478625BE}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D57ACF19-30E3-4B7E-BCDD-6EEB8E57AF27}\TypeLib\ = "{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C710FA9-862A-40CF-9F54-063EF8FC8438}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CE18DD5-2BD7-4844-B9AD-DF6A995750A1}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF16D72-5906-4045-86BC-16826F6212FE}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{735BE2C0-5A9B-457A-A0A9-4B27FCED2817}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9442AA1-AEB8-4FB4-B998-BFBC37BA8A99}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C5B86F3-CEB8-44E3-9B83-6F6AF035E872}\TypeLib\ = "{783B187E-360F-419C-B6DA-592892764A01}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68E3012A-E3EC-4D66-9132-4E412F487165}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3968399C-D098-40AF-9700-734B46FF03C9}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{783B187E-360F-419C-B6DA-592892764A01}\1.0\ = "MBAMServiceLib"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABC1D1AF-23ED-4483-BDA4-90BCC21DFBDB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7BCC13C-47B9-4DC0-8FC6-B2A489EF60EF}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}\1.0\HELPDIR	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABC1D1AF-23ED-4483-BDA4-90BCC21DFBDB}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E8B60E-50A1-4E29-9138-A13421D2BF7D}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4215DAB-7574-44DE-8BE9-78CC62597C95}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{553B1C62-BE94-4CE0-8041-EB3BC1329D20}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1F1EB48-7803-4D84-B07F-255FE87083F4}\ = "IMWACControllerV3"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4BDE5F8-F8D4-4E50-937F-85E8382A9FEE}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8ED8EAAB-1FA5-48D4-ACD4-32645776BA28}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C367B540-CEF4-4271-8395-0C28F0FDADDA}\ = "IPoliciesControllerV9"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6ED2B0A1-984E-4A35-9B04-E0EBAFB2842A}\ = "IScanControllerEventsV12"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00A73BC0-754E-44E1-B190-D59E187A5EA1}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1E6E99C-9728-4244-9570-215B400D226D}\ = "_ITelemetryControllerEventsV2"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F77B440A-6CBC-4AFD-AA22-444552960E50}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C710FA9-862A-40CF-9F54-063EF8FC8438}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}\1.0\0\win64	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2D4A69C-14CA-4825-9376-5B4215AF5C5E}\ = "IUpdateControllerV4"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.RTPController.1\CLSID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106E3995-72F9-458A-A317-9AFF9E45A1F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A66A096-E54B-4F72-8654-ED7715B07B43}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2446F405-83F0-460F-B837-F04540BB330C}\1.0\0\win64	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EA9E3C-6507-4725-8F4F-ED4DDDE7A709}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AEBAD20-B80A-427D-B7D5-D2983291132E}\ = "ICustomScanParameters"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83D0C30B-ECF4-40C5-80EC-21BB47F898A9}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E41AC038-1688-417F-BE23-52D898B93903}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A993F934-6341-4D52-AB17-F93184A624E4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F967173-2B83-4B7F-A633-074B06FD0C64}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8307A4A5-A025-438B-B23B-8EE38A453D54}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B44D50B8-E459-4078-9249-3763459B2676}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4163399F-AB08-4E5E-BE28-6B9440393AD3}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A3E14F0-01F5-492E-AA97-3D880941D814}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1BA0B73-14BD-4C9D-98CA-99355BD4EB24}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4672	reg.exe

Suspicious behavior: AddClipboardFormatListener 10 IoCs

pid	Process
5668	mbamtray.exe
4568	mbam.exe
3488	mbam.exe
1640	mbam.exe
3412	mbam.exe
1036	mbam.exe
3656	mbam.exe
5496	mbam.exe
4836	mbam.exe
4612	mbam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3272	taskmgr.exe
2684	@[email protected]
4568	mbam.exe
632	taskmgr.exe
4664	taskmgr.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe
1496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3272	taskmgr.exe
Token: SeSystemProfilePrivilege	3272	taskmgr.exe
Token: SeCreateGlobalPrivilege	3272	taskmgr.exe
Token: SeShutdownPrivilege	3264	svchost.exe
Token: SeCreatePagefilePrivilege	3264	svchost.exe
Token: SeShutdownPrivilege	3264	svchost.exe
Token: SeCreatePagefilePrivilege	3264	svchost.exe
Token: SeShutdownPrivilege	3264	svchost.exe
Token: SeCreatePagefilePrivilege	3264	svchost.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe
Token: SeRestorePrivilege	3536	TiWorker.exe
Token: SeSecurityPrivilege	3536	TiWorker.exe
Token: SeBackupPrivilege	3536	TiWorker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe
3272	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2684	@[email protected]
2684	@[email protected]
2836	@[email protected]
1904	@[email protected]
1468	@[email protected]
1012	@[email protected]
3556	@[email protected]
2128	@[email protected]
4668	firefox.exe
5112	@[email protected]
3036	@[email protected]
4396	@[email protected]
5644	@[email protected]
5900	@[email protected]
6112	NPE.exe
6112	NPE.exe
6112	NPE.exe
6112	NPE.exe
6112	NPE.exe
4148	@[email protected]
6112	NPE.exe
6112	NPE.exe
5228	@[email protected]
5824	NPE (1).exe
768	@[email protected]
2044	@[email protected]
5824	NPE (1).exe
4984	@[email protected]
5520	@[email protected]
5624	@[email protected]
3360	@[email protected]
2920	@[email protected]
5972	@[email protected]
2332	@[email protected]
3620	@[email protected]
5588	@[email protected]
4836	@[email protected]
5668	mbamtray.exe
4568	mbam.exe
5668	mbamtray.exe
4568	mbam.exe
4568	mbam.exe
5668	mbamtray.exe
3488	mbam.exe
4568	mbam.exe
1640	mbam.exe
5668	mbamtray.exe
1028	@[email protected]
1568	@[email protected]
3412	mbam.exe
1036	mbam.exe
2632	@[email protected]
5056	@[email protected]
4568	mbam.exe
3460	@[email protected]
4076	@[email protected]
6020	@[email protected]
5304	@[email protected]
5304	@[email protected]
3656	mbam.exe
5496	mbam.exe
5632	@[email protected]
3008	@[email protected]
4836	mbam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 2380	3160	important.exe	83
PID 3160 wrote to memory of 2380	3160	important.exe	83
PID 3160 wrote to memory of 2380	3160	important.exe	83
PID 3160 wrote to memory of 840	3160	important.exe	84
PID 3160 wrote to memory of 840	3160	important.exe	84
PID 3160 wrote to memory of 840	3160	important.exe	84
PID 3160 wrote to memory of 4212	3160	important.exe	87
PID 3160 wrote to memory of 4212	3160	important.exe	87
PID 3160 wrote to memory of 4212	3160	important.exe	87
PID 3160 wrote to memory of 4248	3160	important.exe	88
PID 3160 wrote to memory of 4248	3160	important.exe	88
PID 3160 wrote to memory of 4248	3160	important.exe	88
PID 4248 wrote to memory of 4368	4248	cmd.exe	90
PID 4248 wrote to memory of 4368	4248	cmd.exe	90
PID 4248 wrote to memory of 4368	4248	cmd.exe	90
PID 3160 wrote to memory of 1488	3160	important.exe	101
PID 3160 wrote to memory of 1488	3160	important.exe	101
PID 3160 wrote to memory of 1488	3160	important.exe	101
PID 3160 wrote to memory of 3432	3160	important.exe	114
PID 3160 wrote to memory of 3432	3160	important.exe	114
PID 3160 wrote to memory of 3432	3160	important.exe	114
PID 3160 wrote to memory of 2836	3160	important.exe	119
PID 3160 wrote to memory of 2836	3160	important.exe	119
PID 3160 wrote to memory of 2836	3160	important.exe	119
PID 3160 wrote to memory of 1556	3160	important.exe	116
PID 3160 wrote to memory of 1556	3160	important.exe	116
PID 3160 wrote to memory of 1556	3160	important.exe	116
PID 1556 wrote to memory of 1904	1556	cmd.exe	120
PID 1556 wrote to memory of 1904	1556	cmd.exe	120
PID 1556 wrote to memory of 1904	1556	cmd.exe	120
PID 3160 wrote to memory of 1508	3160	important.exe	125
PID 3160 wrote to memory of 1508	3160	important.exe	125
PID 3160 wrote to memory of 1508	3160	important.exe	125
PID 3160 wrote to memory of 1468	3160	important.exe	126
PID 3160 wrote to memory of 1468	3160	important.exe	126
PID 3160 wrote to memory of 1468	3160	important.exe	126
PID 3160 wrote to memory of 4108	3160	important.exe	127
PID 3160 wrote to memory of 4108	3160	important.exe	127
PID 3160 wrote to memory of 4108	3160	important.exe	127
PID 3160 wrote to memory of 3800	3160	important.exe	129
PID 3160 wrote to memory of 3800	3160	important.exe	129
PID 3160 wrote to memory of 3800	3160	important.exe	129
PID 4108 wrote to memory of 4672	4108	cmd.exe	130
PID 4108 wrote to memory of 4672	4108	cmd.exe	130
PID 4108 wrote to memory of 4672	4108	cmd.exe	130
PID 2684 wrote to memory of 2020	2684	@[email protected]	131
PID 2684 wrote to memory of 2020	2684	@[email protected]	131
PID 2684 wrote to memory of 2020	2684	@[email protected]	131
PID 3160 wrote to memory of 3668	3160	important.exe	133
PID 3160 wrote to memory of 3668	3160	important.exe	133
PID 3160 wrote to memory of 3668	3160	important.exe	133
PID 3160 wrote to memory of 3812	3160	important.exe	135
PID 3160 wrote to memory of 3812	3160	important.exe	135
PID 3160 wrote to memory of 3812	3160	important.exe	135
PID 3160 wrote to memory of 1012	3160	important.exe	134
PID 3160 wrote to memory of 1012	3160	important.exe	134
PID 3160 wrote to memory of 1012	3160	important.exe	134
PID 3160 wrote to memory of 1716	3160	important.exe	136
PID 3160 wrote to memory of 1716	3160	important.exe	136
PID 3160 wrote to memory of 1716	3160	important.exe	136
PID 3160 wrote to memory of 3556	3160	important.exe	137
PID 3160 wrote to memory of 3556	3160	important.exe	137
PID 3160 wrote to memory of 3556	3160	important.exe	137
PID 3160 wrote to memory of 4128	3160	important.exe	138

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\important.exe
"C:\Users\Admin\AppData\Local\Temp\important.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2380
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:840
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 300041644723135.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:4368
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1904
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "isljbgsxj479" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "isljbgsxj479" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4672
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3556
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5112
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5636
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5644
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5668
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5892
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5900
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5984
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5296
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5228
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5224
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:768
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5912
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5720
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5532
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5520
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5840
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5624
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3360
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5448
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:6084
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5972
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:6060
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:4128
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5804
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3620
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:6124
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5904
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5588
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:5616
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:840
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:6076
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:3200
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:6036
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:4360
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:5876
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:736
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3460
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:4776
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4076
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6020
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5324
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:5304
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:5904
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:1316
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5632
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:3552
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5724
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  PID:5704
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  PID:684
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5756
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:5768
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  PID:4100
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5504
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:2068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
  TaskData\Tor\taskhsvc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2020

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff49814f50,0x7fff49814f60,0x7fff49814f70
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3160 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7076 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5968 /prefetch:2
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7416 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7356 /prefetch:8
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1056 /prefetch:8
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3084 /prefetch:8
  2⤵
  PID:6032
- C:\Users\Admin\Downloads\NPE.exe
  "C:\Users\Admin\Downloads\NPE.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=984 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7356 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7204 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7432 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7328 /prefetch:8
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:1272
- C:\Users\Admin\Downloads\NPE (1).exe
  "C:\Users\Admin\Downloads\NPE (1).exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7204 /prefetch:8
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6960 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=892 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:1404
- C:\Users\Admin\Downloads\MBSetup.exe
  "C:\Users\Admin\Downloads\MBSetup.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:5760
- - C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
    "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,8326081225088515805,12584581526098690743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:4456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2300
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.0.1291263090\1075417325" -parentBuildID 20200403170909 -prefsHandle 2292 -prefMapHandle 2284 -prefsLen 1 -prefMapSize 216161 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2384 gpu
    3⤵
    PID:1328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.6.817923599\586467965" -childID 1 -isForBrowser -prefsHandle 2712 -prefMapHandle 1808 -prefsLen 787 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2040 tab
    3⤵
    PID:2520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.13.74555668\1101771849" -childID 2 -isForBrowser -prefsHandle 2972 -prefMapHandle 2980 -prefsLen 787 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 1980 tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.20.1488172450\2029450100" -childID 3 -isForBrowser -prefsHandle 3468 -prefMapHandle 3460 -prefsLen 8222 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 3480 tab
    3⤵
    PID:2140

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe
"C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
PID:4084
- C:\Windows\system32\certutil.exe
  certutil.exe -f -addstore root "C:\Windows\TEMP\MBInstallTemp\servicepkg\BaltimoreCyberTrustRoot.crt"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3012
- C:\Windows\system32\certutil.exe
  certutil.exe -f -addstore root "C:\Windows\TEMP\MBInstallTemp\servicepkg\DigiCertEVRoot.crt"
  2⤵
  PID:5252
- C:\Windows\system32\certutil.exe
  certutil.exe -f -addstore root "C:\Windows\TEMP\MBInstallTemp\servicepkg\starfieldrootcag2_new.crt"
  2⤵
  PID:5228
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Modifies registry class
  PID:5256

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
PID:4524
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5668

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:956

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3612

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x2ec
1⤵
PID:6048

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:5136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:632

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\cafe24c4f8284936bb857a3ef34accfc /t 2320 /p 4568
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1404

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5496

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff39954f50,0x7fff39954f60,0x7fff39954f70
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1692 /prefetch:2
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 /prefetch:8
  2⤵
  PID:5432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1560 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8080 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8520 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8208 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8344 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7220 /prefetch:8
  2⤵
  PID:5200
- C:\Users\Admin\Downloads\RKill_2.8.2.0.com
  "C:\Users\Admin\Downloads\RKill_2.8.2.0.com"
  2⤵
  PID:4240
- - C:\Users\Admin\Downloads\RKill_2.8.2.064.com
    C:\Users\Admin\Downloads\RKill_2.8.2.0.com
    3⤵
    PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8832 /prefetch:8
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8808 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8712 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8600 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9164 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9320 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9352 /prefetch:1
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10044 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10196 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5376 /prefetch:2
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8976 /prefetch:8
  2⤵
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10108 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8072 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2938302599751509269,14121559477734866419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8912 /prefetch:1
  2⤵
  PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x2ec
1⤵
PID:2336

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4664

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2148

C:\Users\Admin\Downloads\NPE.exe
"C:\Users\Admin\Downloads\NPE.exe"
1⤵
- Drops file in Drivers directory
PID:812

C:\Users\Admin\Downloads\NPE (1).exe
"C:\Users\Admin\Downloads\NPE (1).exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery