9aaa326da7ca2d0d7015742e3ffe5bce7df63cae147166e52f094a1c20897856

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklist	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f770982.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3AEE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1ABB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F96.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770982.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C63.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3256.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI49BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI49DE.tmp	msiexec.exe
File created	C:\Windows\Installer\f770987.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B48.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3023.tmp	msiexec.exe
File created	C:\Windows\Installer\f770985.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0213-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_20"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0224-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0395-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0095-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_95"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0248-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_87"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0112-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0376-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_64"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0309-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0326-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0360-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0159-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0301-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0286-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_286"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0103-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_103"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0331-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_331"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0233-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0308-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0060-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0197-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_197"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0132-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0163-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_51"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_165"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_86"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0264-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0095-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_48"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0334-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0233-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_233"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0325-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0257-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0410-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0087-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0309-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0309-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0312-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0290-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0316-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_20"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0150-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0084-ABCDEFFEDCBB}	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0133-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0199-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0332-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_332"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0138-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0199-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0330-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_330"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0146-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0220-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0290-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0333-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_333"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0244-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0142-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_76"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0096-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0100-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0284-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0315-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0225-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0238-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_238"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0342-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_23"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0208-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0086-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0277-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0189-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0203-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0340-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0343-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0403-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_403"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_61"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0205-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0097-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0100-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0270-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0334-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0184-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0257-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0260-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0095-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_95"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0350-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0079-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_79"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_38"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0060-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0105-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0236-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_249"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0301-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2600	irsetup.exe
2600	irsetup.exe
1844	chrome.exe
1844	chrome.exe
1496	msiexec.exe
1496	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2520	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2520	jre-windows.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeCreateTokenPrivilege	2520	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2520	jre-windows.exe
Token: SeLockMemoryPrivilege	2520	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2520	jre-windows.exe
Token: SeMachineAccountPrivilege	2520	jre-windows.exe
Token: SeTcbPrivilege	2520	jre-windows.exe
Token: SeSecurityPrivilege	2520	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2520	jre-windows.exe
Token: SeLoadDriverPrivilege	2520	jre-windows.exe
Token: SeSystemProfilePrivilege	2520	jre-windows.exe
Token: SeSystemtimePrivilege	2520	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2520	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2520	jre-windows.exe
Token: SeCreatePagefilePrivilege	2520	jre-windows.exe
Token: SeCreatePermanentPrivilege	2520	jre-windows.exe
Token: SeBackupPrivilege	2520	jre-windows.exe
Token: SeRestorePrivilege	2520	jre-windows.exe
Token: SeShutdownPrivilege	2520	jre-windows.exe
Token: SeDebugPrivilege	2520	jre-windows.exe
Token: SeAuditPrivilege	2520	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2520	jre-windows.exe
Token: SeChangeNotifyPrivilege	2520	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2520	jre-windows.exe
Token: SeUndockPrivilege	2520	jre-windows.exe
Token: SeSyncAgentPrivilege	2520	jre-windows.exe
Token: SeEnableDelegationPrivilege	2520	jre-windows.exe
Token: SeManageVolumePrivilege	2520	jre-windows.exe
Token: SeImpersonatePrivilege	2520	jre-windows.exe
Token: SeCreateGlobalPrivilege	2520	jre-windows.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2912	irsetup.exe
2912	irsetup.exe
2912	irsetup.exe
2912	irsetup.exe
2600	irsetup.exe
2600	irsetup.exe
2520	jre-windows.exe
2520	jre-windows.exe
2520	jre-windows.exe
2520	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2912	2000	TLauncher-Installer-1.3.5.exe	28
PID 2000 wrote to memory of 2912	2000	TLauncher-Installer-1.3.5.exe	28
PID 2000 wrote to memory of 2912	2000	TLauncher-Installer-1.3.5.exe	28
PID 2000 wrote to memory of 2912	2000	TLauncher-Installer-1.3.5.exe	28
PID 2000 wrote to memory of 2912	2000	TLauncher-Installer-1.3.5.exe	28
PID 2000 wrote to memory of 2912	2000	TLauncher-Installer-1.3.5.exe	28
PID 2000 wrote to memory of 2912	2000	TLauncher-Installer-1.3.5.exe	28
PID 2912 wrote to memory of 1972	2912	irsetup.exe	30
PID 2912 wrote to memory of 1972	2912	irsetup.exe	30
PID 2912 wrote to memory of 1972	2912	irsetup.exe	30
PID 2912 wrote to memory of 1972	2912	irsetup.exe	30
PID 2912 wrote to memory of 1972	2912	irsetup.exe	30
PID 2912 wrote to memory of 1972	2912	irsetup.exe	30
PID 2912 wrote to memory of 1972	2912	irsetup.exe	30
PID 1972 wrote to memory of 2600	1972	BrowserInstaller.exe	31
PID 1972 wrote to memory of 2600	1972	BrowserInstaller.exe	31
PID 1972 wrote to memory of 2600	1972	BrowserInstaller.exe	31
PID 1972 wrote to memory of 2600	1972	BrowserInstaller.exe	31
PID 1972 wrote to memory of 2600	1972	BrowserInstaller.exe	31
PID 1972 wrote to memory of 2600	1972	BrowserInstaller.exe	31
PID 1972 wrote to memory of 2600	1972	BrowserInstaller.exe	31
PID 2912 wrote to memory of 1612	2912	irsetup.exe	35
PID 2912 wrote to memory of 1612	2912	irsetup.exe	35
PID 2912 wrote to memory of 1612	2912	irsetup.exe	35
PID 2912 wrote to memory of 1612	2912	irsetup.exe	35
PID 1612 wrote to memory of 2520	1612	jre-windows.exe	36
PID 1612 wrote to memory of 2520	1612	jre-windows.exe	36
PID 1612 wrote to memory of 2520	1612	jre-windows.exe	36
PID 1496 wrote to memory of 2468	1496	msiexec.exe	39
PID 1496 wrote to memory of 2468	1496	msiexec.exe	39
PID 1496 wrote to memory of 2468	1496	msiexec.exe	39
PID 1496 wrote to memory of 2468	1496	msiexec.exe	39
PID 1496 wrote to memory of 2468	1496	msiexec.exe	39
PID 1844 wrote to memory of 1348	1844	chrome.exe	41
PID 1844 wrote to memory of 1348	1844	chrome.exe	41
PID 1844 wrote to memory of 1348	1844	chrome.exe	41
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43
PID 1844 wrote to memory of 568	1844	chrome.exe	43

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe" "__IRCT:3" "__IRTSS:24068259" "__IRSID:S-1-5-21-1298544033-3225604241-2703760938-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1708464" "__IRSID:S-1-5-21-1298544033-3225604241-2703760938-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2600
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\jds259453203.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259453203.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2520
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        
        PID:2760
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        
        PID:320
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    PID:1104
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      PID:1552
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:3808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 1CDB5CE9C1DF29C0C043FBF41824E159
  2⤵
  - Loads dropped DLL
  PID:2468
- C:\Program Files\Java\jre-1.8\installer.exe
  "C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2676
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1044
- - C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
    "C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    PID:2156
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:1800
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:928
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    PID:1012
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:2016
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A3715FDC4DC13C9654F3D4C2330C46DF M Global\MSI0000
  2⤵
  PID:2052
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 7C1754B2DD52B486A7242951B6C90E24
  2⤵
  PID:2392
- C:\Windows\Installer\MSI18AA.tmp
  "C:\Windows\Installer\MSI18AA.tmp" C:\Program Files\Java\jre7\;C;2
  2⤵
  PID:1456
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
  2⤵
  PID:2156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 851553D9173CCC1C818C1E5629817638
  2⤵
  PID:872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03D50F42CFEADCC55E517B9FAD11DC36 M Global\MSI0000
  2⤵
  PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3839758,0x7fef3839768,0x7fef3839778
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:2
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1544 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2844 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:2
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1264 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4172 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4080 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2060 --field-trial-handle=1356,i,1133331829723284749,13003188552828801130,131072 /prefetch:8
  2⤵
  PID:2476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery