prometheus | 43bab7ce6548eb084a181523a876f50dd378d3dcbb18327b75b5dd2c4fe8597b

Analysis

max time kernel
1527357s
max time network
1528336s
platform
windows7_x64
resource
win7-20220310-en
submitted
25-03-2022 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2_AutoClicker.exe
Size

243KB
MD5

edbff0a5ec26bf14a10dc04670c2aa95
SHA1

3de37335be986d68ba4cdd0fc6ab1b78ca45e2b6
SHA256

43bab7ce6548eb084a181523a876f50dd378d3dcbb18327b75b5dd2c4fe8597b
SHA512

8f3982aede528ab99710efbbe0ccfe6406a8eb3d1cc12ae295755032a0db193a03ca73e4b72ad3b024ae0b85430483c62c7d6e9c4355978b2113c54243cf7bd3

Score

10^/10

prometheus discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\1584_2040854243\english_wikipedia.txt

Family

prometheus

Ransom Note

the of and in was is for as on with by he at from his an were are which doc https also or has had first one their its after new who they two her she been other when time during there into school more may years over only year most would world city some where between later three state such then national used made known under many university united while part season team these american than film second born south became states war through being including both before north high however people family early history album area them series against until since district county name work life group music following number company several four called played released career league game government house each based day same won use station club international town located population general college east found age march end september began home public church line june river member system place century band july york january october song august best former british party named held village show local november took service december built another major within along members five single due although small old left final large include building served president received games death february main third set children own order species park law air published road died book men women army often according education central country division english top included development french community among water play side list times near late form original different center power led students german moved court six land council island u.s. record million research art established award street military television given region support western production non political point cup period business title started various election using england role produced become program works field total office class written association radio union level championship director few force created department founded services married though per n't site open act short society version royal present northern worked professional full returned joined story france european currently language social california india days design st. further round australia wrote san project control southern railway board popular continued free battle considered video common position living half playing recorded red post described average records special modern appeared announced areas rock release elected others example term opened similar formed route census current schools originally lake developed race himself forces addition information upon province match event songs result events win eastern track lead teams science human construction minister germany awards available throughout training style body museum australian health seven signed chief eventually appointed sea centre debut tour points media light range character across features families largest indian network less performance players refer europe sold festival usually taken despite designed committee process return official episode institute stage followed performed japanese personal thus arts space low months includes china study middle magazine leading japan groups aircraft featured federal civil rights model coach canadian books remained eight type independent completed capital academy instead kingdom organization countries studies competition sports size above section finished gold involved reported management systems industry directed market fourth movement technology bank ground campaign base lower sent rather added provided coast grand historic valley conference bridge winning approximately films chinese awarded degree russian shows native female replaced municipality square studio medical data african successful mid bay attack previous operations spanish theatre student republic beginning provide ship primary owned writing tournament culture introduced texas related natural parts governor reached ireland units senior decided italian whose higher africa standard income professor placed regional los buildings championships active novel energy generally interest via economic previously stated itself channel below operation leader traditional trade structure limited runs prior regular famous saint navy foreign listed artist catholic airport results parliament collection unit officer goal attended command staff commission lived location plays commercial places foundation significant older medal self scored companies highway activities programs wide musical notable library numerous paris towards individual allowed plant property annual contract whom highest initially required earlier assembly artists rural seat practice defeated ended soviet length spent manager press associated author issues additional characters lord zealand policy engine township noted historical complete financial religious mission contains nine recent represented pennsylvania administration opening secretary lines report executive youth closed theory writer italy angeles appearance feature queen launched legal terms entered issue edition singer greek majority background source anti cultural complex changes recording stadium islands operated particularly basketball month uses port castle mostly names fort selected increased status earth subsequently pacific cover variety certain goals remains upper congress becoming studied irish nature particular loss caused chart dr. forced create era retired material review rate singles referred larger individuals shown provides products speed democratic poland parish olympics cities themselves temple wing genus households serving cost wales stations passed supported view cases forms actor male matches males stars tracks females administrative median effect biography train engineering camp offered chairman houses mainly 19th surface therefore nearly score ancient subject prime seasons claimed experience specific jewish failed overall believed plot troops greater spain consists broadcast heavy increase raised separate campus 1980s appears presented lies composed recently influence fifth nations creek references elections britain double cast meaning earned carried producer latter housing brothers attempt article response border remaining nearby direct ships value workers politician academic label 1970s commander rule fellow residents authority editor transport dutch projects responsible covered territory flight races defense tower emperor albums facilities daily stories assistant managed primarily quality function proposed distribution conditions prize journal code vice newspaper corps highly constructed mayor critical secondary corporation rugby regiment ohio appearances serve allow nation multiple discovered directly scene levels growth elements acquired 1990s officers physical 20th latin host jersey graduated arrived issued literature metal estate vote immediately quickly asian competed extended produce urban 1960s promoted contemporary global formerly appear industrial types opera ministry soldiers commonly mass formation smaller typically drama shortly density senate effects iran polish prominent naval settlement divided basis republican languages distance treatment continue product mile sources footballer format clubs leadership initial offers operating avenue officially columbia grade squadron fleet percent farm leaders agreement likely equipment website mount grew method transferred intended renamed iron asia reserve capacity politics widely activity advanced relations scottish dedicated crew founder episodes lack amount build efforts concept follows ordered leaves positive economy entertainment affairs memorial ability illinois communities color text railroad scientific focus comedy serves exchange environment cars direction organized firm description agency analysis purpose destroyed reception planned revealed infantry architecture growing featuring household candidate removed situated models knowledge solo technical organizations assigned conducted participated largely purchased register gained combined headquarters adopted potential protection scale approach spread independence mountains titled geography applied safety mixed accepted continues captured rail defeat principal recognized lieutenant mentioned semi owner joint liberal actress traffic creation basic notes unique supreme declared simply plants sales massachusetts designated parties jazz compared becomes resources titles concert learning remain teaching versions content alongside revolution sons block premier impact champions districts generation estimated volume image sites account roles sport quarter providing zone yard scoring classes presence performances representatives hosted split taught origin olympic claims critics facility occurred suffered municipal damage defined resulted respectively expanded platform draft opposition expected educational ontario climate reports atlantic surrounding performing reduced ranked allows birth nominated younger newly kong positions theater philadelphia heritage finals disease sixth laws reviews constitution tradition swedish theme fiction rome medicine trains resulting existing deputy environmental labour classical develop fans granted receive alternative begins nuclear fame buried connected identified palace falls letters combat sciences effort villages inspired regions towns conservative chosen animals labor attacks materials yards steel representative orchestra peak entitled officials returning reference northwest imperial convention examples ocean publication painting subsequent frequently religion brigade fully sides acts cemetery relatively oldest suggested succeeded achieved application programme cells votes promotion graduate armed supply flying communist figures literary netherlands korea worldwide citizens 1950s faculty draw stock seats occupied methods unknown articles claim holds authorities audience sweden interview obtained covers settled transfer marked allowing funding challenge southeast unlike crown rise portion transportation sector phase properties edge tropical standards institutions philosophy legislative hills brand fund conflict unable founding refused attempts metres permanent starring applications creating effective aired extensive employed enemy expansion billboard rank battalion multi vehicle fought alliance category perform federation poetry bronze bands entry vehicles bureau maximum billion trees intelligence greatest screen refers commissioned gallery injury confirmed setting treaty adult americans broadcasting supporting pilot mobile writers programming existence squad minnesota copies korean provincial sets defence offices agricultural internal core northeast retirement factory actions prevent communications ending weekly containing functions attempted interior weight bowl recognition incorporated increasing ultimately documentary derived attacked lyrics mexican external churches centuries metropolitan selling opposed personnel mill visited presidential roads pieces norwegian controlled 18th rear influenced wrestling weapons launch composer locations developing circuit specifically studios shared canal wisconsin publishing approved domestic consisted determined comic establishment exhibition southwest fuel electronic cape converted educated melbourne hits wins producing norway slightly occur surname identity represent constituency funds proved links structures athletic birds contest users poet institution display receiving rare contained guns motion piano temperature publications passenger contributed toward cathedral inhabitants architect exist athletics muslim courses abandoned signal successfully disambiguation tennessee dynasty heavily maryland jews representing budget weather missouri introduction faced pair chapel reform height vietnam occurs motor cambridge lands focused sought patients shape invasion chemical importance communication selection regarding homes voivodeship maintained borough failure aged passing agriculture oregon teachers flow philippines trail seventh portuguese resistance reaching negative fashion scheduled downtown universities trained skills scenes views notably typical incident candidates engines decades composition commune chain inc. austria sale values employees chamber regarded winners registered task investment colonial swiss user entirely flag stores closely entrance laid journalist coal equal causes turkish quebec techniques promote junction easily dates kentucky singapore residence violence advance survey humans expressed passes streets distinguished qualified folk establish egypt artillery visual improved actual finishing medium protein switzerland productions operate poverty neighborhood organisation consisting consecutive sections partnership extension reaction factor costs bodies device ethnic racial flat objects chapter improve musicians courts controversy membership merged wars expedition interests arab comics gain describes mining bachelor crisis joining decade 1930s distributed habitat routes arena cycle divisions briefly vocals directors degrees object recordings installed adjacent demand voted causing businesses ruled grounds starred drawn opposite stands formal operates persons counties compete wave israeli ncaa resigned brief greece combination demographics historian contain commonwealth musician collected argued louisiana session cabinet parliamentary electoral loan profit regularly conservation islamic purchase 17th charts residential earliest designs paintings survived moth items goods grey anniversary criticism images discovery observed underground progress additionally participate thousands reduce elementary owners stating iraq resolution capture tank rooms hollywood finance queensland reign maintain iowa landing broad outstanding circle path manufacturing assistance sequence gmina crossing leads universal shaped kings attached medieval ages metro colony affected scholars oklahoma coastal soundtrack painted attend definition meanwhile purposes trophy require marketing popularity cable mathematics mississippi represents scheme appeal distinct factors acid subjects roughly terminal economics senator diocese prix contrast argentina czech wings relief stages duties 16th novels accused whilst equivalent charged measure documents couples request danish defensive guide devices statistics credited tries passengers allied frame puerto peninsula concluded instruments wounded differences associate forests afterwards replace requirements aviation solution offensive ownership inner legislation hungarian contributions actors translated denmark steam depending aspects assumed injured severe admitted determine shore technique arrival measures translation debuted delivered returns rejected separated visitors damaged storage accompanied markets industries losses gulf charter strategy corporate socialist somewhat significantly physics mounted satellite experienced constant relative pattern restored belgium connecticut partners harvard retained networks protected mode artistic parallel collaboration debate involving journey linked salt authors components context occupation requires occasionally policies tamil ottoman revolutionary hungary poem versus gardens amongst audio makeup frequency meters orthodox continuing suggests legislature coalition guitarist eighth classification practices soil tokyo instance limit coverage considerable ranking colleges cavalry centers daughters twin equipped broadway narrow hosts rates domain boundary arranged 12th whereas brazilian forming rating strategic competitions trading covering baltimore commissioner infrastructure origins replacement praised disc collections expression ukraine driven edited austrian solar ensure premiered successor wooden operational hispanic concerns rapid prisoners childhood meets influential tunnel employment tribe qualifying adapted temporary celebrated appearing increasingly depression adults cinema entering laboratory script flows romania accounts fictional pittsburgh achieve monastery franchise formally tools newspapers revival sponsored processes vienna springs missions classified 13th annually branches lakes gender manner advertising normally maintenance adding characteristics integrated decline modified strongly critic victims malaysia arkansas nazi restoration powered monument hundreds depth 15th controversial admiral criticized brick honorary initiative output visiting birmingham progressive existed carbon 1920s credits colour rising hence defeating s

URLs

https

http

Signatures

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus
Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

HotspotShield-11.0.1-plain-773-plain.exeHotspotShield-11.0.1-plain-773-plain.exeHSS-11.0.1-install-plain-773-plain.exeHotspotShield-11.0.1-plain-773-plain.exeHotspotShield-11.0.1-plain-773-plain.exeHSS-11.0.1-install-plain-773-plain.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exendp48-devpack-enu.exendp48-devpack-enu.exeNDP48-DevPack-ENU.exendp48-x86-x64-allos-enu.exeSetup.exeSetupUtility.exeHotspotShield-11.0.1-plain-773-plain.exeHotspotShield-11.0.1-plain-773-plain.exeHSS-11.0.1-install-plain-773-plain.exeProtonVPN_win_v1.26.0.exe

pid	process
2012	HotspotShield-11.0.1-plain-773-plain.exe
2700	HotspotShield-11.0.1-plain-773-plain.exe
2736	HSS-11.0.1-install-plain-773-plain.exe
2156	HotspotShield-11.0.1-plain-773-plain.exe
524	HotspotShield-11.0.1-plain-773-plain.exe
2452	HSS-11.0.1-install-plain-773-plain.exe
2324	software_reporter_tool.exe
2548	software_reporter_tool.exe
2320	software_reporter_tool.exe
1780	software_reporter_tool.exe
2840	ndp48-devpack-enu.exe
2136	ndp48-devpack-enu.exe
2748	NDP48-DevPack-ENU.exe
2864	ndp48-x86-x64-allos-enu.exe
2084	Setup.exe
2560	SetupUtility.exe
2812	HotspotShield-11.0.1-plain-773-plain.exe
2220	HotspotShield-11.0.1-plain-773-plain.exe
2888	HSS-11.0.1-install-plain-773-plain.exe
2896	ProtonVPN_win_v1.26.0.exe

Loads dropped DLL 57 IoCs

Processes:

SpeedifyInstaller.exeSpeedifyInstaller.exeSpeedifyInstaller.exeSpeedifyInstaller.exeSpeedifyInstaller.exeHotspotShield-11.0.1-plain-773-plain.exeHotspotShield-11.0.1-plain-773-plain.exeHotspotShield-11.0.1-plain-773-plain.exeHotspotShield-11.0.1-plain-773-plain.exechrome.exesoftware_reporter_tool.exendp48-devpack-enu.exendp48-devpack-enu.exendp48-x86-x64-allos-enu.exeSetup.exeHotspotShield-11.0.1-plain-773-plain.exeHotspotShield-11.0.1-plain-773-plain.exeSpeedifyInstaller.exeSpeedifyInstaller.exeProtonVPN_win_v1.26.0.exeMsiExec.exeMsiExec.exe

pid	process
2500	SpeedifyInstaller.exe
2500	SpeedifyInstaller.exe
2500	SpeedifyInstaller.exe
2500	SpeedifyInstaller.exe
2608	SpeedifyInstaller.exe
2608	SpeedifyInstaller.exe
2160	SpeedifyInstaller.exe
2160	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1508	SpeedifyInstaller.exe
1996	SpeedifyInstaller.exe
1996	SpeedifyInstaller.exe
2012	HotspotShield-11.0.1-plain-773-plain.exe
2700	HotspotShield-11.0.1-plain-773-plain.exe
2700	HotspotShield-11.0.1-plain-773-plain.exe
2700	HotspotShield-11.0.1-plain-773-plain.exe
2156	HotspotShield-11.0.1-plain-773-plain.exe
524	HotspotShield-11.0.1-plain-773-plain.exe
524	HotspotShield-11.0.1-plain-773-plain.exe
524	HotspotShield-11.0.1-plain-773-plain.exe
1584	chrome.exe
2320	software_reporter_tool.exe
2320	software_reporter_tool.exe
2320	software_reporter_tool.exe
2320	software_reporter_tool.exe
2320	software_reporter_tool.exe
2320	software_reporter_tool.exe
2320	software_reporter_tool.exe
2840	ndp48-devpack-enu.exe
2136	ndp48-devpack-enu.exe
2136	ndp48-devpack-enu.exe
2864	ndp48-x86-x64-allos-enu.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2812	HotspotShield-11.0.1-plain-773-plain.exe
2220	HotspotShield-11.0.1-plain-773-plain.exe
2220	HotspotShield-11.0.1-plain-773-plain.exe
2220	HotspotShield-11.0.1-plain-773-plain.exe
2576	SpeedifyInstaller.exe
2576	SpeedifyInstaller.exe
1628	SpeedifyInstaller.exe
1628	SpeedifyInstaller.exe
2896	ProtonVPN_win_v1.26.0.exe
2896	ProtonVPN_win_v1.26.0.exe
2308	MsiExec.exe
2308	MsiExec.exe
2188	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HSS-11.0.1-install-plain-773-plain.exeHSS-11.0.1-install-plain-773-plain.exeHSS-11.0.1-install-plain-773-plain.exeSpeedifyInstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{f0b6a0a1-8842-49c4-9da0-269df240047a} = "\"C:\\ProgramData\\Package Cache\\{f0b6a0a1-8842-49c4-9da0-269df240047a}\\HSS-11.0.1-install-plain-773-plain.exe\" /burn.runonce"	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{f0b6a0a1-8842-49c4-9da0-269df240047a} = "\"C:\\ProgramData\\Package Cache\\{f0b6a0a1-8842-49c4-9da0-269df240047a}\\HSS-11.0.1-install-plain-773-plain.exe\" /burn.runonce"	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{f0b6a0a1-8842-49c4-9da0-269df240047a} = "\"C:\\ProgramData\\Package Cache\\{f0b6a0a1-8842-49c4-9da0-269df240047a}\\HSS-11.0.1-install-plain-773-plain.exe\" /burn.runonce"	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run	SpeedifyInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Speedify-Installer = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Speedify\\SpeedifyInstaller.exe\" /SOURCE= /CAMPAIGN="	SpeedifyInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	HSS-11.0.1-install-plain-773-plain.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ndp48-devpack-enu.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ndp48-devpack-enu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ndp48-devpack-enu.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeProtonVPN_win_v1.26.0.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\S:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\W:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\R:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\V:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\N:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\Q:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\G:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\K:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\J:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\U:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\X:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\E:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\O:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\T:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\F:	ProtonVPN_win_v1.26.0.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

wusa.exeNDP48-DevPack-ENU.exeHSS-11.0.1-install-plain-773-plain.exendp48-devpack-enu.exeSetup.exeHSS-11.0.1-install-plain-773-plain.exeDrvInst.exeHSS-11.0.1-install-plain-773-plain.exeSetupUtility.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\WindowsUpdate.log	NDP48-DevPack-ENU.exe
File opened for modification	C:\Windows\WindowsUpdate.log	HSS-11.0.1-install-plain-773-plain.exe
File opened for modification	C:\Windows\WindowsUpdate.log	ndp48-devpack-enu.exe
File opened for modification	C:\Windows\WindowsUpdate.log	Setup.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\WindowsUpdate.log	wusa.exe
File opened for modification	C:\Windows\WindowsUpdate.log	HSS-11.0.1-install-plain-773-plain.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\WindowsUpdate.log	HSS-11.0.1-install-plain-773-plain.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\WindowsUpdate.log	SetupUtility.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 27 IoCs

Processes:

HSS-11.0.1-install-plain-773-plain.exeHSS-11.0.1-install-plain-773-plain.exeHSS-11.0.1-install-plain-773-plain.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents	HSS-11.0.1-install-plain-773-plain.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\ = "{f0b6a0a1-8842-49c4-9da0-269df240047a}"	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Version = "11.0.1.12066"	HSS-11.0.1-install-plain-773-plain.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\ = "{f0b6a0a1-8842-49c4-9da0-269df240047a}"	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Version = "11.0.1.12066"	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\DisplayName = "Hotspot Shield 11.0.1"	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Version = "11.0.1.12066"	HSS-11.0.1-install-plain-773-plain.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\ = "{f0b6a0a1-8842-49c4-9da0-269df240047a}"	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\DisplayName = "Hotspot Shield 11.0.1"	HSS-11.0.1-install-plain-773-plain.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\DisplayName = "Hotspot Shield 11.0.1"	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents\{f0b6a0a1-8842-49c4-9da0-269df240047a}	HSS-11.0.1-install-plain-773-plain.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0b6a0a1-8842-49c4-9da0-269df240047a}\Dependents	HSS-11.0.1-install-plain-773-plain.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

notepad.exenotepad.exe

pid process

2892 notepad.exe
2376 notepad.exe

pid	process
2892	notepad.exe
2376	notepad.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exechrome.exechrome.exeSetup.exechrome.exeMsiExec.exe

pid	process
1784	chrome.exe
1584	chrome.exe
1584	chrome.exe
2292	chrome.exe
2972	chrome.exe
2428	chrome.exe
1968	chrome.exe
1584	chrome.exe
1584	chrome.exe
1100	chrome.exe
2432	chrome.exe
1192	chrome.exe
2324	software_reporter_tool.exe
2324	software_reporter_tool.exe
2972	chrome.exe
2856	chrome.exe
3060	chrome.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2084	Setup.exe
2200	chrome.exe
2308	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

SpeedifyInstaller.exeSetup.exechrome.exeProtonVPN_win_v1.26.0.exe

pid process

2608 SpeedifyInstaller.exe
2084 Setup.exe
1584 chrome.exe
2896 ProtonVPN_win_v1.26.0.exe

pid	process
2608	SpeedifyInstaller.exe
2084	Setup.exe
1584	chrome.exe
2896	ProtonVPN_win_v1.26.0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEsoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exevssvc.exeDrvInst.exeSetup.exemsiexec.exeProtonVPN_win_v1.26.0.exe

description	pid	process
Token: 33	2336	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2336	AUDIODG.EXE
Token: 33	2336	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2336	AUDIODG.EXE
Token: 33	2548	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2548	software_reporter_tool.exe
Token: 33	2324	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2324	software_reporter_tool.exe
Token: 33	2320	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2320	software_reporter_tool.exe
Token: 33	1780	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1780	software_reporter_tool.exe
Token: SeBackupPrivilege	1448	vssvc.exe
Token: SeRestorePrivilege	1448	vssvc.exe
Token: SeAuditPrivilege	1448	vssvc.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeLoadDriverPrivilege	2640	DrvInst.exe
Token: SeLoadDriverPrivilege	2640	DrvInst.exe
Token: SeLoadDriverPrivilege	2640	DrvInst.exe
Token: SeDebugPrivilege	2084	Setup.exe
Token: SeRestorePrivilege	896	msiexec.exe
Token: SeTakeOwnershipPrivilege	896	msiexec.exe
Token: SeSecurityPrivilege	896	msiexec.exe
Token: SeCreateTokenPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeAssignPrimaryTokenPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeLockMemoryPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeIncreaseQuotaPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeMachineAccountPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeTcbPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeSecurityPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeTakeOwnershipPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeLoadDriverPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeSystemProfilePrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeSystemtimePrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeProfSingleProcessPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeIncBasePriorityPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeCreatePagefilePrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeCreatePermanentPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeBackupPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeRestorePrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeShutdownPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeDebugPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeAuditPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeSystemEnvironmentPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeChangeNotifyPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeRemoteShutdownPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeUndockPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeSyncAgentPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeEnableDelegationPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeManageVolumePrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeImpersonatePrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeCreateGlobalPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeCreateTokenPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeAssignPrimaryTokenPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeLockMemoryPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeIncreaseQuotaPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeMachineAccountPrivilege	2896	ProtonVPN_win_v1.26.0.exe
Token: SeTcbPrivilege	2896	ProtonVPN_win_v1.26.0.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

2_AutoClicker.exechrome.exe

pid	process
1688	2_AutoClicker.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2_AutoClicker.exe

pid process

1688 2_AutoClicker.exe
1688 2_AutoClicker.exe
1688 2_AutoClicker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1584 wrote to memory of 1644	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1644	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1644	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1784	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1784	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1784	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1464	1584	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2936 attrib.exe
2580 attrib.exe

pid	process
2936	attrib.exe
2580	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2_AutoClicker.exe
"C:\Users\Admin\AppData\Local\Temp\2_AutoClicker.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d34f50,0x7fef6d34f60,0x7fef6d34f70
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1132 /prefetch:2
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1684 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3052 /prefetch:2
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3124 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2412 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4224 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3592 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1476 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1476 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3960 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4212 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4028 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3288 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1704 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2400 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4304 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3300 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:1612
- C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe
  "C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2012
- - C:\Windows\Temp\{0966D87D-21FC-4D3F-9024-4288C0943BD7}\.cr\HotspotShield-11.0.1-plain-773-plain.exe
    "C:\Windows\Temp\{0966D87D-21FC-4D3F-9024-4288C0943BD7}\.cr\HotspotShield-11.0.1-plain-773-plain.exe" -burn.clean.room="C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2700
  - - C:\Windows\Temp\{4F4D3080-1BCF-4D40-B09E-170B65B18193}\.be\HSS-11.0.1-install-plain-773-plain.exe
      "C:\Windows\Temp\{4F4D3080-1BCF-4D40-B09E-170B65B18193}\.be\HSS-11.0.1-install-plain-773-plain.exe" -q -burn.elevated BurnPipe.{F7AA2157-D8BB-44F6-AB94-AC90D407FD05} {9ACCCADD-02DB-4BD3-BC07-71AB16EF852D} 2700
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Modifies registry class
      PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:936
- C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe
  "C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2156
- - C:\Windows\Temp\{E615D487-E3AD-4D5B-8F27-0E25E289F02D}\.cr\HotspotShield-11.0.1-plain-773-plain.exe
    "C:\Windows\Temp\{E615D487-E3AD-4D5B-8F27-0E25E289F02D}\.cr\HotspotShield-11.0.1-plain-773-plain.exe" -burn.clean.room="C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:524
  - - C:\Windows\Temp\{F4258B87-A210-42C0-AF30-50DCC547D796}\.be\HSS-11.0.1-install-plain-773-plain.exe
      "C:\Windows\Temp\{F4258B87-A210-42C0-AF30-50DCC547D796}\.be\HSS-11.0.1-install-plain-773-plain.exe" -q -burn.elevated BurnPipe.{3589FC8B-FB8D-4197-A4C3-821D6C3AA37D} {B1BB3325-1CA7-461D-8413-564724187B47} 524
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Modifies registry class
      PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:8
  2⤵
  PID:540
- C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=LU6a5zZu+noO58yHFYicnnntBEVyS0TtcVMBxzHS --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=99.279.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13f3025a0,0x13f3025b0,0x13f3025c0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2324_UQKHJFOAAJREORFM" --sandboxed-process-id=2 --init-done-notifier=492 --sandbox-mojo-pipe-token=3506992109939782783 --mojo-platform-channel-handle=460 --engine=2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2324_UQKHJFOAAJREORFM" --sandboxed-process-id=3 --init-done-notifier=644 --sandbox-mojo-pipe-token=7385417880199177433 --mojo-platform-channel-handle=640
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=620 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1012 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3116 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 /prefetch:8
  2⤵
  PID:1056
- C:\Users\Admin\Downloads\ndp48-devpack-enu.exe
  "C:\Users\Admin\Downloads\ndp48-devpack-enu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2840
- - C:\Windows\Temp\{3CEC6CF0-FBE0-4905-A485-D85D141946A3}\.cr\ndp48-devpack-enu.exe
    "C:\Windows\Temp\{3CEC6CF0-FBE0-4905-A485-D85D141946A3}\.cr\ndp48-devpack-enu.exe" -burn.clean.room="C:\Users\Admin\Downloads\ndp48-devpack-enu.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    PID:2136
  - - C:\Windows\Temp\{97C86A3D-D2CB-488C-BFC9-93CE86EC7690}\.be\NDP48-DevPack-ENU.exe
      "C:\Windows\Temp\{97C86A3D-D2CB-488C-BFC9-93CE86EC7690}\.be\NDP48-DevPack-ENU.exe" -q -burn.elevated BurnPipe.{9D38FA3D-AC49-4B2A-A7B9-7C035FC80753} {8721D82B-0F9C-4212-8D98-6CF12454729B} 2136
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=992 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1632 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4264 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:2228
- C:\Users\Admin\Downloads\ndp48-x86-x64-allos-enu.exe
  "C:\Users\Admin\Downloads\ndp48-x86-x64-allos-enu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2864
- - C:\0677a4ed283bba2ebbc57b43b6ab71\Setup.exe
    C:\0677a4ed283bba2ebbc57b43b6ab71\\Setup.exe /x86 /x64 /redist
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
  - - C:\0677a4ed283bba2ebbc57b43b6ab71\SetupUtility.exe
      SetupUtility.exe /aupause
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4160 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:2992
- C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe
  "C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2812
- - C:\Windows\Temp\{14145962-AE3D-4E07-9BFB-08EC7B32023C}\.cr\HotspotShield-11.0.1-plain-773-plain.exe
    "C:\Windows\Temp\{14145962-AE3D-4E07-9BFB-08EC7B32023C}\.cr\HotspotShield-11.0.1-plain-773-plain.exe" -burn.clean.room="C:\Users\Admin\Downloads\HotspotShield-11.0.1-plain-773-plain.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2220
  - - C:\Windows\Temp\{6264AEB9-7CC7-4289-A3DA-2D19725FC438}\.be\HSS-11.0.1-install-plain-773-plain.exe
      "C:\Windows\Temp\{6264AEB9-7CC7-4289-A3DA-2D19725FC438}\.be\HSS-11.0.1-install-plain-773-plain.exe" -q -burn.elevated BurnPipe.{E7EE4ED9-8EB0-41D1-9AE4-99CD07873F80} {1C0B83EC-274E-4696-B0FB-56C6C33F4137} 2220
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Modifies registry class
      PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1704 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4204 /prefetch:8
  2⤵
  PID:2580
- C:\Users\Admin\Downloads\ProtonVPN_win_v1.26.0.exe
  "C:\Users\Admin\Downloads\ProtonVPN_win_v1.26.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\{D84BF03F-46AB-491B-9185-56732D3C3C2D}\check-KB2992611.bat" "
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic qfe get hotfixid
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\findstr.exe
      FindStr "KB2992611"
      4⤵
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\{D84BF03F-46AB-491B-9185-56732D3C3C2D}\check-KB3033929.bat" "
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic qfe get hotfixid
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\findstr.exe
      FindStr "KB3033929 KB4019264 KB4022719 KB4025341 KB4034664 KB4038777 KB4041681 KB4343900 KB4457144 KB4462923 KB4467107 KB4471318 KB4480970 KB4486563 KB4489878 KB4474419 KB4493472 KB4499164 KB4499175 KB4503292 KB4503269 KB4507449 KB4507456 KB4512506 KB4516065 KB4519976 KB4524157 KB4015549 KB3197868 KB3185330"
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\{D84BF03F-46AB-491B-9185-56732D3C3C2D}\check-KB3063858.bat" "
    3⤵
    PID:2856
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic qfe get hotfixid
      4⤵
      PID:656
  - - C:\Windows\SysWOW64\findstr.exe
      FindStr "KB3063858 KB2533623 KB4457144 KB3126587 KB3126593 KB3146706 KB4014793"
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\{D84BF03F-46AB-491B-9185-56732D3C3C2D}\check-KB2921916.bat" "
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic qfe get hotfixid
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\findstr.exe
      FindStr "KB2921916"
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE4056.bat" "
    3⤵
    PID:2980
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\AIE4CCE.tmp"
      4⤵
      Views/modifies file attributes
      PID:2580
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE4056.bat"
      4⤵
      Views/modifies file attributes
      PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4056.bat" "
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=532 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,11950793431525503215,10357421546827139221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4152 /prefetch:8
  2⤵
  PID:2340

C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe
"C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
PID:2500
- C:\Windows\SysWOW64\wusa.exe
  wusa.exe "C:\Users\Admin\AppData\Local\Temp\Speedify\Windows6.1-KB3033929.msu"
  2⤵
  - Drops file in Windows directory
  PID:3020

C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe
"C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2608

C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe
"C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe"
1⤵
- Loads dropped DLL
PID:2160

C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe
"C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe"
1⤵
- Loads dropped DLL
PID:1508

C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe
"C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe"
1⤵
- Loads dropped DLL
PID:1996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\Hotspot_Shield_11.0.1_20220325224930.log
1⤵
- Opens file in notepad (likely ransom note)
PID:2892

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\Hotspot_Shield_11.0.1_20220325224930.log
1⤵
- Opens file in notepad (likely ransom note)
PID:2376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "0000000000000300"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe
"C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe"
1⤵
- Loads dropped DLL
PID:2576

C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe
"C:\Users\Admin\Desktop\New folder\SpeedifyInstaller.exe"
1⤵
- Loads dropped DLL
PID:1628

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 968105F585BA0EDC2E9157538551D04B C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB4D01DFACB1C2B2CFCE0088DFAAA0E9 C
  2⤵
  - Loads dropped DLL
  PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
06cceaeb3d5e9aefe3f41e4a3f6a9100

SHA1
687f4a28471a0f4fcd9ad1bb2e8f61aa3cd386e5

SHA256
dff5ff7100879d69cf1a93759000d0751d420e49161cc7551a603da571eebce8

SHA512
a2e4660dd6bd8f134ca2c60a80e99795561337d45f2f703e0defe9eed4a6f0e4412bed7320ddf49967553b79b354aa5910fb6f747589596f02a8536f211e10e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
08e32c42d49168e4727accb16ff00621

SHA1
92a592dd114ccdd867bc007447ad35d9086178be

SHA256
693267cc9b0709cdb91abaf05f63f9dbeb425f3536e8ee84b4680e6758851281

SHA512
d53e10446953e3aba46a0f4b14e7c0b3230996b9afd3cf77970196339e273128068ed6413a50c57d4d4151734dfcf43abd9e8bf1f6398edf6986a908a46c454c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpeedifyUnicodeInstall.txt

MD5
14d1385ac4d8ac05f8e213cd1c34dfe6

SHA1
c70470c228f9ada535eeaf52a490ff95106e5d36

SHA256
7a46c33d3ac127cdef099c3130348b4491fa3a11cbdd9ad6e30b8680e19d9856

SHA512
0a9e33e5e7b44721c69a2123c3f48f731d10e47ee5b9d9ce4437e92955de7dac190f6e30308c64249c01463522dba1bfd91ae9e597227f74f4dd02ef01d9897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpeedifyUnicodeInstall.txt

MD5
6cd77d6d94c9197efa9a53b5750f0cd8

SHA1
779ad5b03f91cdf4d5c24fff351c8ddf123fe7c4

SHA256
00d0c47414a22dd63054b86f50fb42451925ac9c6e2e2258c7d3b57c0a494dbc

SHA512
b25ef90c135597034d0f7c9db565d710de1ead38f58d30c7a2168bd62db0e56ee9eb4fc625f30f9223dd4c224066f9c4a00145a5ce2e637b0629454fce20ef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpeedifyUnicodeInstall.txt

MD5
63b04b255afebc7c09ffc6561b17f3b9

SHA1
2a16dcc713b29b7806d03d1c709be95c81ef963c

SHA256
2a5e7ceaba6f46e9d0d48f68a0a1db19c9d79bc348523001e587e8a73c7a2518

SHA512
5d525508f371218e443c9544782c4fef4b887c029b1a1379f25bab320c7fbb277995a807345e47409c19d862083a61d355b8f73bd617ea526bcd0afa9b6e0245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speedify\SpeedifyInstaller.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speedify\SpeedifyInstaller.exe

MD5
ef874412f3c62915f8a1afbd2a66dfaf

SHA1
999e9ad4cbcfc3e1e5934e7aafdabf0672fe37f9

SHA256
1193755f11a8eb1c3f673aae00afc65cc17948ffac0e8908cb4f888ebd34db1c

SHA512
629da2d362c08a917a15b7510c9f9c7d64020ac9aa41252300e7750f8695f64494eef9420f6ac9908bc5f0c989ab73544b49fe9a734d5557318253aed0953a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speedify\SpeedifyInstaller.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speedify\SpeedifyShutdown.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speedify\SpeedifyShutdown.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speedify\SpeedifyShutdown.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speedify\Windows6.1-KB3033929.msu

MD5
87ff18974de76144206910d0d41a8ae5

SHA1
5c56222b0caf43030addc9ad262633fcbddfcd41

SHA256
5318587007edb6c8b29310ff18da479a162b486b9101a7de735f94a70dbc3b31

SHA512
10d9180affd860c26fa4022ab26e8640397f4006bbfd5ac4c50ac0ed9cb72a0e591a71ef071d2087893f3769e83f62f4d45674342653b7d44df421440b15a059

Download Submit
\??\pipe\crashpad_1584_IACNEXDBJWFDHYEM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nse2628.tmp\INetC.dll

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nse2628.tmp\System.dll

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nse2628.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nse2628.tmp\nsExec.dll

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
\Users\Admin\AppData\Local\Temp\nsg70EE.tmp\INetC.dll

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsg70EE.tmp\INetC.dll

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsg70EE.tmp\INetC.dll

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsg70EE.tmp\INetC.dll

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsg70EE.tmp\System.dll

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsg70EE.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nskF04A.tmp\System.dll

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nskF04A.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsq1576.tmp\System.dll

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsq1576.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/524-100-0x00000000743B1000-0x00000000743B3000-memory.dmp

Filesize
8KB

Download
memory/524-98-0x0000000000000000-mapping.dmp

Download
memory/656-187-0x0000000000000000-mapping.dmp

Download
memory/1056-196-0x0000000000000000-mapping.dmp

Download
memory/1688-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1728-190-0x0000000000000000-mapping.dmp

Download
memory/1780-142-0x000000013F307000-0x000000013F308000-memory.dmp

Filesize
4KB

Download
memory/1780-144-0x0000000000000000-mapping.dmp

Download
memory/1780-143-0x000000013F307000-0x000000013F308000-memory.dmp

Filesize
4KB

Download
memory/1816-195-0x0000000000000000-mapping.dmp

Download
memory/1976-189-0x0000000000000000-mapping.dmp

Download
memory/1988-181-0x0000000000000000-mapping.dmp

Download
memory/2012-89-0x0000000000000000-mapping.dmp

Download
memory/2064-184-0x0000000000000000-mapping.dmp

Download
memory/2084-159-0x0000000000000000-mapping.dmp

Download
memory/2128-188-0x0000000000000000-mapping.dmp

Download
memory/2136-151-0x0000000000000000-mapping.dmp

Download
memory/2136-153-0x0000000074521000-0x0000000074523000-memory.dmp

Filesize
8KB

Download
memory/2140-185-0x0000000000000000-mapping.dmp

Download
memory/2156-96-0x0000000000000000-mapping.dmp

Download
memory/2176-180-0x0000000000000000-mapping.dmp

Download
memory/2188-178-0x0000000000000000-mapping.dmp

Download
memory/2220-165-0x0000000000000000-mapping.dmp

Download
memory/2300-191-0x0000000000000000-mapping.dmp

Download
memory/2308-176-0x0000000000000000-mapping.dmp

Download
memory/2320-123-0x000000013F307000-0x000000013F308000-memory.dmp

Filesize
4KB

Download
memory/2320-124-0x0000000000000000-mapping.dmp

Download
memory/2320-122-0x000000013F307000-0x000000013F308000-memory.dmp

Filesize
4KB

Download
memory/2320-147-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2320-148-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2320-158-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2324-103-0x0000000000000000-mapping.dmp

Download
memory/2452-101-0x0000000000000000-mapping.dmp

Download
memory/2548-104-0x0000000000000000-mapping.dmp

Download
memory/2560-161-0x0000000000000000-mapping.dmp

Download
memory/2580-193-0x0000000000000000-mapping.dmp

Download
memory/2668-183-0x0000000000000000-mapping.dmp

Download
memory/2700-93-0x00000000743C1000-0x00000000743C3000-memory.dmp

Filesize
8KB

Download
memory/2700-91-0x0000000000000000-mapping.dmp

Download
memory/2736-94-0x0000000000000000-mapping.dmp

Download
memory/2748-154-0x0000000000000000-mapping.dmp

Download
memory/2812-163-0x0000000000000000-mapping.dmp

Download
memory/2840-149-0x0000000000000000-mapping.dmp

Download
memory/2856-186-0x0000000000000000-mapping.dmp

Download
memory/2864-156-0x0000000000000000-mapping.dmp

Download
memory/2888-168-0x0000000000000000-mapping.dmp

Download
memory/2892-146-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/2896-172-0x0000000000000000-mapping.dmp

Download
memory/2896-174-0x0000000074181000-0x0000000074183000-memory.dmp

Filesize
8KB

Download
memory/2936-194-0x0000000000000000-mapping.dmp

Download
memory/2980-192-0x0000000000000000-mapping.dmp

Download
memory/2992-182-0x0000000000000000-mapping.dmp

Download
memory/3020-62-0x0000000000000000-mapping.dmp

Download