xmrig | e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\""	wscript.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

Change Default File Association

T1042

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setups.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setups.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setups.exe

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3736-154-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3736-155-0x000000014036EAC4-mapping.dmp	xmrig
behavioral1/memory/3736-157-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3736-156-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3736-160-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3736-161-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3736-266-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 12 IoCs

Processes:

mmgaserver.exemmgaserver.exeChromeRecovery.exeSetups.exeMrsMajor3.0.exeeulascr.exeMrsMajor2.0.exeBossDaMajor.exeBossDaMajor.exeeula32.exeGetReady.exenotmuch.exe

pid	process
5088	mmgaserver.exe
3960	mmgaserver.exe
4064	ChromeRecovery.exe
2660	Setups.exe
1576	MrsMajor3.0.exe
4720	eulascr.exe
1072	MrsMajor2.0.exe
1468	BossDaMajor.exe
4012	BossDaMajor.exe
4140	eula32.exe
4316	GetReady.exe
3640	notmuch.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4284 takeown.exe
2864 icacls.exe
4708 takeown.exe
4908 icacls.exe

pid	process
4284	takeown.exe
2864	icacls.exe
4708	takeown.exe
4908	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Setups.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setups.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setups.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

BossDaMajor.exewscript.exee01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exemmgaserver.exemmgaserver.exeMrsMajor3.0.exewscript.exeBossDaMajor.exeGetReady.exeMrsMajor2.0.exewscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	BossDaMajor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mmgaserver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mmgaserver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	BossDaMajor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	GetReady.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	MrsMajor2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

Processes:

eulascr.exe

pid process

4720 eulascr.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4284 takeown.exe
2864 icacls.exe
4708 takeown.exe
4908 icacls.exe

pid	process
4720	eulascr.exe

pid	process
4284	takeown.exe
2864	icacls.exe
4708	takeown.exe
4908	icacls.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B50.tmp\eulascr.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\B50.tmp\eulascr.exe	agile_net
behavioral1/memory/4720-190-0x0000000000DA0000-0x0000000000DCA000-memory.dmp	agile_net

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Setups.exe	themida
C:\Users\Admin\Desktop\Setups.exe	themida
behavioral1/memory/2660-170-0x0000000000DE0000-0x000000000159F000-memory.dmp	themida
behavioral1/memory/2660-171-0x0000000000DE0000-0x000000000159F000-memory.dmp	themida
behavioral1/memory/2660-172-0x0000000000DE0000-0x000000000159F000-memory.dmp	themida
behavioral1/memory/2660-173-0x0000000000DE0000-0x000000000159F000-memory.dmp	themida
behavioral1/memory/2660-175-0x0000000000DE0000-0x000000000159F000-memory.dmp	themida
behavioral1/memory/2660-177-0x0000000000DE0000-0x000000000159F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

wscript.exemmgaserver.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetVPUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\NetVPUpdater.exe\""	mmgaserver.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Setups.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setups.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setups.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\taskmgr.exe	cmd.exe
File opened for modification	C:\Windows\System32\sethc.exe	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setups.exe

pid process

2660 Setups.exe

pid	process
2660	Setups.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

mmgaserver.exemmgaserver.exe

description	pid	process	target process
PID 5088 set thread context of 3960	5088	mmgaserver.exe	mmgaserver.exe
PID 3960 set thread context of 3736	3960	mmgaserver.exe	notepad.exe

Drops file in Program Files directory 60 IoCs

Processes:

wscript.exewscript.exeelevation_service.exewscript.exe

description	ioc	process
File created	C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\Major.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat	wscript.exe
File created	C:\Program Files\mrsmajor\default.txt	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\creepysound.mp3	wscript.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\manifest.json	elevation_service.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\example.txt	wscript.exe
File created	C:\Program Files\mrsmajor\WinLogon.bat	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\Skullcur.cur	wscript.exe
File created	C:\Program Files\mrsmajor\Launcher.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\reStart.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs	wscript.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\ChromeRecovery.exe	elevation_service.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe	wscript.exe
File created	C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico	wscript.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\manifest.json	elevation_service.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg	wscript.exe
File created	C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat	wscript.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\ChromeRecovery.exe	elevation_service.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\bsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\f11.mp4	wscript.exe
File created	C:\Program Files\mrsmajor\MrsMjrGui.exe	wscript.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\_metadata\verified_contents.json	elevation_service.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majordared.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\DreS_X.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe	wscript.exe
File created	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat	wscript.exe
File created	C:\Program Files\mrsmajor\mrsmajorlauncher.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\Doll_patch.xml	wscript.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\_metadata\verified_contents.json	elevation_service.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\checker.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat	wscript.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\ChromeRecoveryCRX.crx	elevation_service.exe
File opened for modification	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\rsod.exe	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 8 IoCs

evasion

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "33"	LogonUI.exe

Modifies registry class 23 IoCs

Processes:

wscript.exewscript.exechrome.exeOpenWith.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

3980 NOTEPAD.EXE
2160 NOTEPAD.EXE

pid	process
3980	NOTEPAD.EXE
2160	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemmgaserver.exenotepad.exe

pid	process
4664	powershell.exe
4664	powershell.exe
5088	mmgaserver.exe
5088	mmgaserver.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1684 taskmgr.exe

pid	process
1684	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 42 IoCs

Processes:

chrome.exe

pid	process
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

powershell.exemmgaserver.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exenotepad.exetaskmgr.exe7zG.exe7zG.exeeulascr.exeunregmp2.exetakeown.exetakeown.exeshutdown.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	5088	mmgaserver.exe
Token: SeShutdownPrivilege	4432	powercfg.exe
Token: SeCreatePagefilePrivilege	4432	powercfg.exe
Token: SeShutdownPrivilege	856	powercfg.exe
Token: SeCreatePagefilePrivilege	856	powercfg.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeCreatePagefilePrivilege	1640	powercfg.exe
Token: SeShutdownPrivilege	3308	powercfg.exe
Token: SeCreatePagefilePrivilege	3308	powercfg.exe
Token: SeLockMemoryPrivilege	3736	notepad.exe
Token: SeLockMemoryPrivilege	3736	notepad.exe
Token: SeDebugPrivilege	1684	taskmgr.exe
Token: SeSystemProfilePrivilege	1684	taskmgr.exe
Token: SeCreateGlobalPrivilege	1684	taskmgr.exe
Token: 33	1684	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1684	taskmgr.exe
Token: SeRestorePrivilege	1420	7zG.exe
Token: 35	1420	7zG.exe
Token: SeSecurityPrivilege	1420	7zG.exe
Token: SeSecurityPrivilege	1420	7zG.exe
Token: SeRestorePrivilege	4016	7zG.exe
Token: 35	4016	7zG.exe
Token: SeSecurityPrivilege	4016	7zG.exe
Token: SeSecurityPrivilege	4016	7zG.exe
Token: SeDebugPrivilege	4720	eulascr.exe
Token: SeShutdownPrivilege	4152	unregmp2.exe
Token: SeCreatePagefilePrivilege	4152	unregmp2.exe
Token: SeTakeOwnershipPrivilege	4284	takeown.exe
Token: SeTakeOwnershipPrivilege	4708	takeown.exe
Token: SeShutdownPrivilege	4760	shutdown.exe
Token: SeRemoteShutdownPrivilege	4760	shutdown.exe
Token: SeShutdownPrivilege	4072	shutdown.exe
Token: SeRemoteShutdownPrivilege	4072	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

notepad.exetaskmgr.exe

pid	process
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
3736	notepad.exe
1684	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

notepad.exetaskmgr.exe

pid	process
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
3736	notepad.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
3736	notepad.exe
1684	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exeMrsMajor3.0.exeLogonUI.exe

pid process

2404 OpenWith.exe
1576 MrsMajor3.0.exe
1576 LogonUI.exe

pid	process
2404	OpenWith.exe
1576	MrsMajor3.0.exe
1576	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exemmgaserver.exemmgaserver.execmd.exechrome.exe

description	pid	process	target process
PID 1580 wrote to memory of 5088	1580	e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe	mmgaserver.exe
PID 1580 wrote to memory of 5088	1580	e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe	mmgaserver.exe
PID 5088 wrote to memory of 4664	5088	mmgaserver.exe	powershell.exe
PID 5088 wrote to memory of 4664	5088	mmgaserver.exe	powershell.exe
PID 5088 wrote to memory of 3960	5088	mmgaserver.exe	mmgaserver.exe
PID 5088 wrote to memory of 3960	5088	mmgaserver.exe	mmgaserver.exe
PID 5088 wrote to memory of 3960	5088	mmgaserver.exe	mmgaserver.exe
PID 5088 wrote to memory of 3960	5088	mmgaserver.exe	mmgaserver.exe
PID 5088 wrote to memory of 3960	5088	mmgaserver.exe	mmgaserver.exe
PID 5088 wrote to memory of 3960	5088	mmgaserver.exe	mmgaserver.exe
PID 3960 wrote to memory of 3824	3960	mmgaserver.exe	cmd.exe
PID 3960 wrote to memory of 3824	3960	mmgaserver.exe	cmd.exe
PID 3824 wrote to memory of 4432	3824	cmd.exe	powercfg.exe
PID 3824 wrote to memory of 4432	3824	cmd.exe	powercfg.exe
PID 3824 wrote to memory of 856	3824	cmd.exe	powercfg.exe
PID 3824 wrote to memory of 856	3824	cmd.exe	powercfg.exe
PID 3824 wrote to memory of 1640	3824	cmd.exe	powercfg.exe
PID 3824 wrote to memory of 1640	3824	cmd.exe	powercfg.exe
PID 3824 wrote to memory of 3308	3824	cmd.exe	powercfg.exe
PID 3824 wrote to memory of 3308	3824	cmd.exe	powercfg.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 3960 wrote to memory of 3736	3960	mmgaserver.exe	notepad.exe
PID 2616 wrote to memory of 1664	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1664	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2728	2616	chrome.exe	chrome.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe

C:\Users\Admin\AppData\Local\Temp\e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe
"C:\Users\Admin\AppData\Local\Temp\e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
"C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe eibjreadarlwhqjb0 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKtAojfzUwjTQS8LU11cio3B91Dnx64uJpd+yv3ODgmKtlyHUG4wlRe6qD3C4hnccuCyfObt0sQRm3xP0XSv1OFHH30qIKppKf2w90wbt8GGZsj8u4ML7JuplmjYMl/cqWtRx56XoRsGk8kfCYoJkSJSqQfbO2wc/udqfRyVtvxkb+gHe+1PC0E+8tAVIzQyBaeqj88aWSku1DfJkpu4sDiwLbpA9r9ONPzc75XW+jSgPQvswv8ksqs4Tu0ZWY7rAandbpqmu8t2ISmE+8o+Em9NMn4LWpG81LxGs0LtD5F+1s9fVJt0ChwNtb835D5RStVJiYB7eHxgMpNT8bHWu2Btvm29pw6corXv39uviLDGenOCPpHFK71tjvtw7nmFTnW5T2+yRMlYWgiyOwVY1Z5EkDxgEO5RvIgS8rfPl7WH5TRXdeABsT239oc/4DLkhkUssmapzpnW9lrnvvgGXOEKiqHIdAssGmDJ00Yg5UFFA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3736

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffddb134f50,0x7ffddb134f60,0x7ffddb134f70
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
2⤵
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1944 /prefetch:8
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
2⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:8
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
2⤵
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5540 /prefetch:8
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
2⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
2⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
2⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1040 /prefetch:8
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2460 /prefetch:1
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=244 /prefetch:1
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:8
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
2⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:8
2⤵
PID:704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3732 /prefetch:8
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:8
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5240 /prefetch:2
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:8
2⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5388 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=936 /prefetch:1
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3400 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6348 /prefetch:8
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6448 /prefetch:8
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6336 /prefetch:8
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:8
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3332 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:1
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1040 /prefetch:8
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6320 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:8
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6736 /prefetch:8
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1040 /prefetch:8
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:8
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6748 /prefetch:8
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6776 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
2⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6452 /prefetch:8
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
2⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4160 /prefetch:8
2⤵
PID:704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7072 /prefetch:8
2⤵
PID:4236

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EULA.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6512 /prefetch:8
2⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6884 /prefetch:8
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
2⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6844 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6848 /prefetch:8
2⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
2⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6988 /prefetch:8
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
2⤵
PID:616

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Password.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
2⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6096 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,11090352205394204259,10906742098531868560,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
2⤵
PID:616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3504

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3504_975096860\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={e04134f9-029a-401d-8d7c-184f5137abd1} --system
2⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1116

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap32656:118:7zEvent10353
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\Desktop\Setups.exe
"C:\Users\Admin\Desktop\Setups.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap28680:76:7zEvent24962
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Users\Admin\Desktop\MrsMajor3.0.exe
"C:\Users\Admin\Desktop\MrsMajor3.0.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B50.tmp\B51.tmp\B52.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:1420

C:\Users\Admin\AppData\Local\Temp\B50.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\B50.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Users\Admin\Desktop\MrsMajor2.0.exe
"C:\Users\Admin\Desktop\MrsMajor2.0.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1072

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2BA9.tmp\2BAA.vbs
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:1684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe
3⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\eula32.exe
eula32.exe
4⤵
- Executes dropped EXE
PID:4140

C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4316

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\5D68.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""
4⤵
- Drops file in System32 directory
PID:316

C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\icacls.exe
icacls taskmgr.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2864

C:\Windows\System32\takeown.exe
takeown /f sethc.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4908

C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"
3⤵
- Executes dropped EXE
PID:3640

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 5
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Users\Admin\Desktop\BossDaMajor\BossDaMajor.exe
"C:\Users\Admin\Desktop\BossDaMajor\BossDaMajor.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1468

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3D1E.tmp\3D1F.vbs
2⤵
- Checks computer location settings
- Drops file in Program Files directory
PID:4332

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:2360

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator
3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:4112

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
4⤵
PID:3200

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
5⤵
PID:4840

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
5⤵
PID:516

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
6⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 03
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Users\Admin\Desktop\BossDaMajor\BossDaMajor.exe
"C:\Users\Admin\Desktop\BossDaMajor\BossDaMajor.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4012

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\403B.tmp\403C.vbs
2⤵
PID:1888

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 40.txt
1⤵
PID:684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery