zloader | f5b3db14850a6a7622acb969eb356953a038d0547a2f96d1d5400f7e765eaecb

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4916-3790-0x00000000003F0000-0x00000000007D8000-memory.dmp	upx
behavioral1/memory/4916-4127-0x00000000003F0000-0x00000000007D8000-memory.dmp	upx
behavioral1/memory/2780-4178-0x00000000001D0000-0x00000000005B8000-memory.dmp	upx
behavioral1/files/0x059a00000001c21c-4201.dat	upx
behavioral1/memory/4916-4202-0x00000000003F0000-0x00000000007D8000-memory.dmp	upx
behavioral1/memory/4648-4208-0x0000000000AE0000-0x0000000001018000-memory.dmp	upx
behavioral1/memory/2984-4210-0x0000000000A60000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/1904-4209-0x0000000000A60000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/1572-4215-0x0000000000A60000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/1676-4221-0x0000000000A60000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/2780-4222-0x00000000001D0000-0x00000000005B8000-memory.dmp	upx
behavioral1/memory/4916-4546-0x00000000003F0000-0x00000000007D8000-memory.dmp	upx
behavioral1/memory/4916-5257-0x00000000003F0000-0x00000000007D8000-memory.dmp	upx
behavioral1/memory/4916-5683-0x00000000003F0000-0x00000000007D8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GearUPBooster = "\"C:\\Program Files (x86)\\GearUPBooster\\gearup_booster.exe\" /silent"	gearup_booster.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	gearup_booster.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GearUPBooster\api-ms-win-core-timezone-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\widevinecdmadapter.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\tap_driver\arm64\OemVista.inf	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\apiinstall_x64.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\gearup_booster_render.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\wfp\win\x32\nwwfp.sys	7za.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-621.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\en-US.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\api-ms-win-crt-time-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\skin.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\tap_driver\i386\NW_TAP_0921.sys	7za.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\hostfp	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\zh-TW.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\tap_driver\i386\OemVista.inf	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\tap_driver\x64\NW_TAP_0921.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\gearup_booster_ball.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\api-ms-win-crt-locale-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\browser.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\tap_driver\x64\NW_TAP_0909.sys	7za.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\api-ms-win-crt-stdio-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\tap_driver\i386\NW_TAP_0909.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\hostfp\64\hostpacket.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\en-US.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\tap_driver\x64\tap0901.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\apiinstall_x64.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\d3dcompiler_43.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\libcef.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\msvcr100.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\ui.dll	7za.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621.exe
File created	C:\Program Files (x86)\GearUPBooster\gearup_booster_translate.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\update.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\api-ms-win-crt-convert-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\local_proxy.dll	7za.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\icudtl.dat	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\d3dcompiler_47.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\ws2detour_x64.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\ws2detour_x64.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\.sentry-native\b571e4a0-74e3-4224-2a5d-ca81c3364443.run\__sentry-event	gearup_booster.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\cef_200_percent.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\tap_driver\x64\OemVista.inf	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\api-ms-win-core-processthreads-l1-1-1.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\host_fp.dll	7za.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621.exe
File created	C:\Program Files (x86)\GearUPBooster\lsp64.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\tap_driver\x64\nw_tap_0909.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\tap_driver\i386\nw_tap_0921.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\tap_driver\x64\NW_TAP_0921.inf	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\api-ms-win-core-localization-l1-2-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\api-ms-win-crt-environment-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\d3dcompiler_43.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\libGLESv2.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\ping.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\hostfp\32	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\tap_driver\x64\nw_tap_0921.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\api-ms-win-core-processthreads-l1-1-1.dll	7za.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\tap_driver\arm64\OemVista.inf	7za.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\gearup_booster.exe = "11000"	GearUP-1.5.0-ent8-aafteri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\gearup_booster.exe = "11000"	gearup_booster.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133250332166438394"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r06	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
4828	chrome.exe
4828	chrome.exe
2556	gearup_booster.exe
2556	gearup_booster.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
6056	WinRAR.exe
896	WinRAR.exe
5652	WinRAR.exe
6020	ProcessHacker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
628	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4168	unregmp2.exe
Token: SeCreatePagefilePrivilege	4168	unregmp2.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
1320	gearup_booster_ball.exe
2556	gearup_booster.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
1320	gearup_booster_ball.exe
2556	gearup_booster.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe
6020	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4916	irsetup.exe
4916	irsetup.exe
4916	irsetup.exe
4916	irsetup.exe
4916	irsetup.exe
4916	irsetup.exe
2780	irsetup.exe
2780	irsetup.exe
1592	winrar-x64-621.exe
1592	winrar-x64-621.exe
6056	WinRAR.exe
6056	WinRAR.exe
1192	MEMZ.exe
5900	MEMZ.exe
6048	MEMZ.exe
1200	MEMZ.exe
1192	MEMZ.exe
1200	MEMZ.exe
6048	MEMZ.exe
5900	MEMZ.exe
1192	MEMZ.exe
5900	MEMZ.exe
6048	MEMZ.exe
1200	MEMZ.exe
1192	MEMZ.exe
1200	MEMZ.exe
6048	MEMZ.exe
5900	MEMZ.exe
1192	MEMZ.exe
5900	MEMZ.exe
6048	MEMZ.exe
1200	MEMZ.exe
1192	MEMZ.exe
1200	MEMZ.exe
6048	MEMZ.exe
5900	MEMZ.exe
1192	MEMZ.exe
5900	MEMZ.exe
6048	MEMZ.exe
1200	MEMZ.exe
1192	MEMZ.exe
1200	MEMZ.exe
6048	MEMZ.exe
5900	MEMZ.exe
1192	MEMZ.exe
5900	MEMZ.exe
6048	MEMZ.exe
1200	MEMZ.exe
1192	MEMZ.exe
1200	MEMZ.exe
6048	MEMZ.exe
5900	MEMZ.exe
1192	MEMZ.exe
5900	MEMZ.exe
6048	MEMZ.exe
1200	MEMZ.exe
1192	MEMZ.exe
1200	MEMZ.exe
6048	MEMZ.exe
5900	MEMZ.exe
1192	MEMZ.exe
5900	MEMZ.exe
6048	MEMZ.exe
1200	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 2200	3644	wmplayer.exe	66
PID 3644 wrote to memory of 2200	3644	wmplayer.exe	66
PID 3644 wrote to memory of 2200	3644	wmplayer.exe	66
PID 3644 wrote to memory of 3924	3644	wmplayer.exe	67
PID 3644 wrote to memory of 3924	3644	wmplayer.exe	67
PID 3644 wrote to memory of 3924	3644	wmplayer.exe	67
PID 3924 wrote to memory of 4168	3924	unregmp2.exe	68
PID 3924 wrote to memory of 4168	3924	unregmp2.exe	68
PID 3888 wrote to memory of 2172	3888	chrome.exe	71
PID 3888 wrote to memory of 2172	3888	chrome.exe	71
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4420	3888	chrome.exe	74
PID 3888 wrote to memory of 4384	3888	chrome.exe	73
PID 3888 wrote to memory of 4384	3888	chrome.exe	73
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75
PID 3888 wrote to memory of 2948	3888	chrome.exe	75

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\0-02-0a-ab608ce4619c10c5d404f16bc3f3a3e1a39bcad96df6f2ffe440a46a09b7a566_d59198ec.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\0-02-0a-ab608ce4619c10c5d404f16bc3f3a3e1a39bcad96df6f2ffe440a46a09b7a566_d59198ec.mp4"
  2⤵
  PID:2200
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xac,0xd8,0x7ffca8f29758,0x7ffca8f29768,0x7ffca8f29778
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1596 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3196 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3312 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1064 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5052 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5300 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5544 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5532 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4724 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5856 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6108 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=1068 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3420 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5348 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5276 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3316 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5416 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3276 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=4556 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5012 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5352 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=4736 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=4796 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=4792 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=3880 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=4460 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6296 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6432 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=6168 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6256 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=5028 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=4744 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=3820 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=5256 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=3176 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=6580 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=7112 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=6812 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7156 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3644 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4404 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6164 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Users\Admin\Downloads\GearUP-1.5.0-ent8-aafteri.exe
  "C:\Users\Admin\Downloads\GearUP-1.5.0-ent8-aafteri.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:4748
- - C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe
    "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe" x "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip" -o"C:\Program Files (x86)\GearUPBooster\" -aoa
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\"
    3⤵
    PID:2084
- - C:\Program Files (x86)\GearUPBooster\gearup_booster.exe
    "C:\Program Files (x86)\GearUPBooster\gearup_booster.exe" /install_shortcut 1 /install_autorun 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2556
  - - C:\Program Files (x86)\GearUPBooster\crashpad_handler.exe
      "C:\Program Files (x86)\GearUPBooster\crashpad_handler.exe" --no-rate-limit "--database=C:\Program Files (x86)\GearUPBooster\.sentry-native" "--metrics-dir=C:\Program Files (x86)\GearUPBooster\.sentry-native" --url=https://sentry.guinfra.com:443/api/30/minidump/?sentry_client=sentry.native/0.5.3&sentry_key=e59bef2d0cf245eaa0d97f08c5eab5fe "--attachment=C:\Program Files (x86)\GearUPBooster\.sentry-native\b571e4a0-74e3-4224-2a5d-ca81c3364443.run\__sentry-event" "--attachment=C:\Program Files (x86)\GearUPBooster\.sentry-native\b571e4a0-74e3-4224-2a5d-ca81c3364443.run\__sentry-breadcrumb1" "--attachment=C:\Program Files (x86)\GearUPBooster\.sentry-native\b571e4a0-74e3-4224-2a5d-ca81c3364443.run\__sentry-breadcrumb2" --initial-client-data=0x38c,0x390,0x394,0x2e8,0x398,0x72d35160,0x72d35174,0x72d35184
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3772
  - - C:\Program Files (x86)\GearUPBooster\gearup_booster_ball.exe
      C:\Program Files (x86)\GearUPBooster\gearup_booster_ball.exe /main_form_wnd 2293850 /show_flag 0 /pos_x -1 /pos_y -1 /version 9107 /client_id 642b4f14c51df40868b64beb /gray 0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1320
  - - C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
      "C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --disable-databases --primordial-pipe-token=4FE3D6814FD53E03DB06DB8165C25A7C --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=4FE3D6814FD53E03DB06DB8165C25A7C --channel="2556.0.147804730\394457348" --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=6180 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=6328 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=6920 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=6500 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=3408 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=3320 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=7332 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=3400 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=1520 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=6312 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=7300 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=6792 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=7444 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7476 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5320 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6916 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7572 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6620 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:784
- C:\Users\Admin\Downloads\TLauncher-2.86-Installer-1.0.1.exe
  "C:\Users\Admin\Downloads\TLauncher-2.86-Installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.86-Installer-1.0.1.exe" "__IRCT:3" "__IRTSS:22693301" "__IRSID:S-1-5-21-3346939869-2835594282-3775165920-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
      4⤵
      Executes dropped EXE
      PID:4208
    - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1814730 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1839152" "__IRSID:S-1-5-21-3346939869-2835594282-3775165920-1000"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=97.0.4719.43 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x68b233e0,0x68b233f0,0x68b233fc
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1904 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230403221312" --session-guid=192782c8-8ec1-48e9-b5b8-17270e811d52 --server-tracking-blob="NTg5YTA1NzZhMTY4M2Q4ZTdlOWVhM2Y0ZTVhOTQ0NmRkM2UyNWU4NGFiMzRhYTk0MDYyNGM0NmQyNDdhNmUwYjp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY4MDU1Mjc5MC42NDAyIiwidXNlcmFnZW50IjoiU2V0dXAgRmFjdG9yeSA5LjAiLCJ1dG0iOnsiY2FtcGFpZ24iOiJPcGVyYURlc2t0b3AiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJNU1RMIn0sInV1aWQiOiI2ZGJmODYwZS0wYTc0LTRjYzctOWQxZC04NmE4NzhhODYwOGYifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1805000000000000
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=97.0.4719.43 --initial-client-data=0x310,0x314,0x318,0x2e0,0x31c,0x681c33e0,0x681c33f0,0x681c33fc
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304032213121\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304032213121\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe"
        7⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304032213121\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304032213121\assistant\assistant_installer.exe" --version
        7⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304032213121\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304032213121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.50 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x4e6c28,0x4e6c38,0x4e6c44
        8⤵
        Executes dropped EXE
        
        PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=2420 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=6180 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=7548 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=6740 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=4732 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=7228 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5368 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=6264 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=89 --mojo-platform-channel-handle=6812 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=90 --mojo-platform-channel-handle=7500 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=7424 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=3284 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=6944 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=94 --mojo-platform-channel-handle=6932 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=95 --mojo-platform-channel-handle=6448 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=96 --mojo-platform-channel-handle=5216 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=97 --mojo-platform-channel-handle=4664 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=98 --mojo-platform-channel-handle=3408 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=99 --mojo-platform-channel-handle=6836 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=100 --mojo-platform-channel-handle=6380 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=101 --mojo-platform-channel-handle=7152 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=102 --mojo-platform-channel-handle=6500 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=103 --mojo-platform-channel-handle=4412 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=104 --mojo-platform-channel-handle=4740 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=105 --mojo-platform-channel-handle=4712 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=106 --mojo-platform-channel-handle=6988 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=107 --mojo-platform-channel-handle=7196 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=108 --mojo-platform-channel-handle=6664 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=109 --mojo-platform-channel-handle=6320 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=110 --mojo-platform-channel-handle=1472 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=111 --mojo-platform-channel-handle=7500 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=112 --mojo-platform-channel-handle=7388 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=113 --mojo-platform-channel-handle=7752 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=114 --mojo-platform-channel-handle=6992 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=115 --mojo-platform-channel-handle=7256 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=116 --mojo-platform-channel-handle=7568 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=117 --mojo-platform-channel-handle=7444 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=118 --mojo-platform-channel-handle=6616 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=119 --mojo-platform-channel-handle=7844 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=120 --mojo-platform-channel-handle=7316 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=121 --mojo-platform-channel-handle=7852 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=122 --mojo-platform-channel-handle=6192 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=123 --mojo-platform-channel-handle=3080 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=124 --mojo-platform-channel-handle=5544 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=125 --mojo-platform-channel-handle=5556 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=126 --mojo-platform-channel-handle=6884 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=127 --mojo-platform-channel-handle=7484 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=128 --mojo-platform-channel-handle=7944 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=129 --mojo-platform-channel-handle=7964 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=130 --mojo-platform-channel-handle=8164 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=131 --mojo-platform-channel-handle=8276 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=132 --mojo-platform-channel-handle=8612 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=133 --mojo-platform-channel-handle=8320 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=134 --mojo-platform-channel-handle=8524 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=135 --mojo-platform-channel-handle=8632 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=136 --mojo-platform-channel-handle=5588 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=137 --mojo-platform-channel-handle=8204 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7224 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4460 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4740 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7716 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7772 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6384 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:6120
- C:\Users\Admin\Downloads\winrar-x64-621.exe
  "C:\Users\Admin\Downloads\winrar-x64-621.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1592
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=144 --mojo-platform-channel-handle=3324 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=145 --mojo-platform-channel-handle=7944 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=146 --mojo-platform-channel-handle=5752 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=147 --mojo-platform-channel-handle=7644 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=148 --mojo-platform-channel-handle=7736 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=149 --mojo-platform-channel-handle=7416 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=150 --mojo-platform-channel-handle=6764 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=151 --mojo-platform-channel-handle=6344 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=152 --mojo-platform-channel-handle=7664 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=154 --mojo-platform-channel-handle=4480 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=153 --mojo-platform-channel-handle=4808 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=155 --mojo-platform-channel-handle=7780 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=156 --mojo-platform-channel-handle=9104 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=157 --mojo-platform-channel-handle=5576 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\processhacker-2.39-bin.zip"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\Rar$EXa6056.29905\x64\ProcessHacker.exe
    "C:\Users\Admin\AppData\Local\Temp\Rar$EXa6056.29905\x64\ProcessHacker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SendNotifyMessage
    PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=158 --mojo-platform-channel-handle=6852 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=159 --mojo-platform-channel-handle=8468 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=160 --mojo-platform-channel-handle=7948 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=161 --mojo-platform-channel-handle=9128 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:68
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=162 --mojo-platform-channel-handle=7504 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=163 --mojo-platform-channel-handle=6484 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=166 --mojo-platform-channel-handle=6496 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=165 --mojo-platform-channel-handle=7236 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=164 --mojo-platform-channel-handle=5040 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=168 --mojo-platform-channel-handle=7612 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=167 --mojo-platform-channel-handle=8144 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=170 --mojo-platform-channel-handle=6792 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=169 --mojo-platform-channel-handle=7864 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=171 --mojo-platform-channel-handle=8644 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=172 --mojo-platform-channel-handle=4612 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8180 --field-trial-handle=1732,i,3601002965398380939,12853930010479256334,131072 /prefetch:8
  2⤵
  PID:5904
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\memz-main.zip"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:896
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\AppData\Local\Temp\Rar$DIa896.31559\MEMZ 3.0 (1).zip"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5652
  - - C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe"
      4⤵
      Executes dropped EXE
      PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe" /watchdog
        5⤵
        Executes dropped EXE
        
        PID:5680
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe" /watchdog
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5900
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe" /watchdog
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6048
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe" /watchdog
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe" /watchdog
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rar$EXa5652.31886\MEMZ 3.0\MEMZ.exe" /main
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4848
      - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        6⤵
        
        PID:1856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a4
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery