dcrat | hxxps://github[.]com

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	dcrat_updservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Serverfontsaves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Serverfontsaves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	dcrat_updservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Serverfontsaves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	gpuz_installer.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	dcrat_updservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 64 IoCs

pid	Process
4280	setup.exe
3996	katB08E.tmp
3864	DCRat.exe
3960	dcrat_updservice.exe
3108	dcrat_updservice.exe
3416	Serverfontsaves.exe
6104	Serverfontsaves.exe
4660	dllhost.exe
5816	msedge.exe
752	DCRat.exe
6904	dcrat_updservice.exe
3660	DCRat.exe
1812	DCRat.exe
5096	Serverfontsaves.exe
5672	SppExtComObj.exe
4228	SppExtComObj.exe
3080	SppExtComObj.exe
4216	SppExtComObj.exe
5048	SppExtComObj.exe
6036	SppExtComObj.exe
2296	SppExtComObj.exe
640	SppExtComObj.exe
6792	wscript.exe
2860	sppsvc.exe
1616	taskhostw.exe
6408	OfficeClickToRun.exe
6860	SppExtComObj.exe
5524	csrss.exe
2960	csrss.exe
4556	csrss.exe
6288	csrss.exe
6128	csrss.exe
6272	csrss.exe
4496	TextInputHost.exe
4532	csrss.exe
4076	csrss.exe
5896	csrss.exe
2124	csrss.exe
5148	csrss.exe
3512	csrss.exe
1440	csrss.exe
6784	csrss.exe
5988	csrss.exe
2544	csrss.exe
4280	csrss.exe
2320	csrss.exe
1908	csrss.exe
5396	csrss.exe
2848	csrss.exe
3552	csrss.exe
4440	csrss.exe
2060	csrss.exe
1516	wscript.exe
6468	sppsvc.exe
6688	OfficeClickToRun.exe
932	taskhostw.exe
6224	sihost.exe
4480	csrss.exe
1684	SC INSTALLER.exe
428	SC INSTALLER.exe
6612	csrss.exe
3712	DCRat.sfx.exe
6188	csrss.exe
6304	SandeLLo CHECKER.exe

Loads dropped DLL 46 IoCs

pid	Process
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
6560	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
6304	SandeLLo CHECKER.exe
6304	SandeLLo CHECKER.exe
5952	SandeLLo CHECKER.exe
5952	SandeLLo CHECKER.exe
5132	SandeLLo CHECKER.exe
5132	SandeLLo CHECKER.exe
5900	AppUpdater.exe
5900	AppUpdater.exe
6884	AppUpdater.exe
6884	AppUpdater.exe
5812	SandeLLo CHECKER.exe
5812	SandeLLo CHECKER.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2044	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000023662-2534.dat	upx
behavioral1/memory/4280-4958-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/4280-4975-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x0009000000023673-5348.dat	upx
behavioral1/memory/3480-5373-0x0000000000D80000-0x0000000003A61000-memory.dmp	upx
behavioral1/memory/980-5375-0x0000000000D80000-0x0000000003A61000-memory.dmp	upx
behavioral1/memory/3480-5419-0x0000000000D80000-0x0000000003A61000-memory.dmp	upx
behavioral1/memory/980-5423-0x0000000000D80000-0x0000000003A61000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	SC INSTALLER.exe
File opened (read-only)	\??\W:	SC INSTALLER.exe
File opened (read-only)	\??\H:	SC INSTALLER.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	SC INSTALLER.exe
File opened (read-only)	\??\Q:	SC INSTALLER.exe
File opened (read-only)	\??\G:	SC INSTALLER.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	SC INSTALLER.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\A:	SC INSTALLER.exe
File opened (read-only)	\??\E:	SC INSTALLER.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	SC INSTALLER.exe
File opened (read-only)	\??\Y:	SC INSTALLER.exe
File opened (read-only)	\??\Z:	SC INSTALLER.exe
File opened (read-only)	\??\J:	SC INSTALLER.exe
File opened (read-only)	\??\S:	SC INSTALLER.exe
File opened (read-only)	\??\V:	SC INSTALLER.exe
File opened (read-only)	\??\Y:	SC INSTALLER.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	SC INSTALLER.exe
File opened (read-only)	\??\O:	SC INSTALLER.exe
File opened (read-only)	\??\R:	SC INSTALLER.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	SC INSTALLER.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	SC INSTALLER.exe
File opened (read-only)	\??\J:	SC INSTALLER.exe
File opened (read-only)	\??\P:	SC INSTALLER.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	SC INSTALLER.exe
File opened (read-only)	\??\M:	SC INSTALLER.exe
File opened (read-only)	\??\V:	SC INSTALLER.exe
File opened (read-only)	\??\I:	SC INSTALLER.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	SC INSTALLER.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	SC INSTALLER.exe
File opened (read-only)	\??\T:	SC INSTALLER.exe
File opened (read-only)	\??\L:	SC INSTALLER.exe
File opened (read-only)	\??\M:	SC INSTALLER.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	SC INSTALLER.exe
File opened (read-only)	\??\T:	SC INSTALLER.exe
File opened (read-only)	\??\U:	SC INSTALLER.exe
File opened (read-only)	\??\W:	SC INSTALLER.exe
File opened (read-only)	\??\Z:	SC INSTALLER.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	SC INSTALLER.exe
File opened (read-only)	\??\L:	SC INSTALLER.exe
File opened (read-only)	\??\B:	SC INSTALLER.exe
File opened (read-only)	\??\P:	SC INSTALLER.exe
File opened (read-only)	\??\S:	SC INSTALLER.exe
File opened (read-only)	\??\N:	SC INSTALLER.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
799	raw.githubusercontent.com
800	raw.githubusercontent.com
816	raw.githubusercontent.com
817	raw.githubusercontent.com
818	raw.githubusercontent.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4280 set thread context of 3996	4280	setup.exe	123

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\winlogon.exe	Serverfontsaves.exe
File created	C:\Program Files\Common Files\DESIGNER\winlogon.exe	Serverfontsaves.exe
File created	C:\Program Files\Common Files\DESIGNER\cc11b995f2a76d	Serverfontsaves.exe
File created	C:\Program Files\Windows Defender\en-US\msedge.exe	Serverfontsaves.exe
File created	C:\Program Files\Windows Defender\en-US\61a52ddc9dd915	Serverfontsaves.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\msedge.exe	Serverfontsaves.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\61a52ddc9dd915	Serverfontsaves.exe
File opened for modification	C:\Program Files (x86)\GPU-Z\GPU-Z.exe	gpuz_installer.tmp
File created	C:\Program Files (x86)\GPU-Z\unins000.dat	gpuz_installer.tmp
File created	C:\Program Files (x86)\GPU-Z\is-LOVAP.tmp	gpuz_installer.tmp
File opened for modification	C:\Program Files (x86)\GPU-Z\unins000.dat	gpuz_installer.tmp
File created	C:\Program Files (x86)\Windows Media Player\Icons\SppExtComObj.exe	Serverfontsaves.exe
File created	C:\Program Files (x86)\Windows Mail\cc11b995f2a76d	Serverfontsaves.exe
File created	C:\Program Files\Windows Multimedia Platform\msedge.exe	Serverfontsaves.exe
File created	C:\Program Files\Windows Multimedia Platform\61a52ddc9dd915	Serverfontsaves.exe
File created	C:\Program Files (x86)\GPU-Z\is-BPD9S.tmp	gpuz_installer.tmp

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F123046A-2CBF-4743-A59B-E3D2751B5780}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e638a54.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BED.tmp	msiexec.exe
File created	C:\Windows\Globalization\Sorting\Serverfontsaves.exe	Serverfontsaves.exe
File opened for modification	C:\Windows\Installer\MSI9048.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9155.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92AF.tmp	msiexec.exe
File created	C:\Windows\uk-UA\66fc9ff0ee96c2	Serverfontsaves.exe
File opened for modification	C:\Windows\Installer\MSI8F0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9165.tmp	msiexec.exe
File created	C:\Windows\Installer\e638a56.msi	msiexec.exe
File created	C:\Windows\ServiceProfiles\LocalService\cc11b995f2a76d	Serverfontsaves.exe
File created	C:\Windows\Installer\e638a54.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BCD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9088.tmp	msiexec.exe
File created	C:\Windows\Globalization\Sorting\3ac88e81d55828	Serverfontsaves.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9456.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9477.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI936B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9487.tmp	msiexec.exe
File created	C:\Windows\ServiceProfiles\LocalService\winlogon.exe	Serverfontsaves.exe
File created	C:\Windows\uk-UA\sihost.exe	Serverfontsaves.exe
File opened for modification	C:\Windows\Installer\MSI8BBC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90E6.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5088	3996	WerFault.exe	123

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1556	schtasks.exe
5416	schtasks.exe
5920	schtasks.exe
2732	schtasks.exe
2820	schtasks.exe
5048	schtasks.exe
1468	schtasks.exe
2116	schtasks.exe
5188	schtasks.exe
5856	schtasks.exe
2116	schtasks.exe
1528	schtasks.exe
1136	schtasks.exe
2516	schtasks.exe
5504	schtasks.exe
1136	schtasks.exe
5420	schtasks.exe
4636	schtasks.exe
4708	schtasks.exe
4616	schtasks.exe
2352	schtasks.exe
3400	schtasks.exe
1204	schtasks.exe
5596	schtasks.exe
2412	schtasks.exe
5032	schtasks.exe
3600	schtasks.exe
536	schtasks.exe
4048	schtasks.exe
4724	schtasks.exe
2068	schtasks.exe
6424	schtasks.exe
428	schtasks.exe
4964	schtasks.exe
4556	schtasks.exe
4488	schtasks.exe
4928	schtasks.exe
5900	schtasks.exe
3664	schtasks.exe
6012	schtasks.exe
5340	schtasks.exe
5908	schtasks.exe
5776	schtasks.exe
4228	schtasks.exe
3512	schtasks.exe
4492	schtasks.exe
4700	schtasks.exe
3376	schtasks.exe
5788	schtasks.exe
5912	schtasks.exe
4716	schtasks.exe
4588	schtasks.exe
3904	schtasks.exe
1892	schtasks.exe
5260	schtasks.exe
4724	schtasks.exe
60	schtasks.exe
3808	schtasks.exe
1652	schtasks.exe
1276	schtasks.exe
4616	schtasks.exe
4248	schtasks.exe
3872	schtasks.exe
4480	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2468	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Colors	SC INSTALLER.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133597534291009278"	chrome.exe

Modifies registry class 61 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	Serverfontsaves.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	dcrat_updservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{2AEAD007-1C39-4D9A-BF01-6C05086E9AA6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	dcrat_updservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	Serverfontsaves.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	dcrat_updservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{73243136-0C4C-464E-8C7C-A0B2CA7E8846}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	wscript.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\GPU-Z.exe\:SmartScreen:$DATA	GPU-Z.2.59.0.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 60042.crdownload:SmartScreen	msedge.exe

Runs regedit.exe 1 IoCs

pid	Process
2248	Regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1516	msedge.exe
1516	msedge.exe
1284	msedge.exe
1284	msedge.exe
560	identity_helper.exe
560	identity_helper.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
3176	msedge.exe
3176	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
3600	msedge.exe
3600	msedge.exe
3416	Serverfontsaves.exe
3416	Serverfontsaves.exe
3416	Serverfontsaves.exe
3416	Serverfontsaves.exe
3416	Serverfontsaves.exe
3416	Serverfontsaves.exe
3416	Serverfontsaves.exe
2352	powershell.exe
2352	powershell.exe
544	powershell.exe
544	powershell.exe
2420	powershell.exe
2420	powershell.exe
3740	powershell.exe
3740	powershell.exe
3432	powershell.exe
3432	powershell.exe
2536	powershell.exe
2536	powershell.exe
60	powershell.exe
60	powershell.exe
4176	powershell.exe
4176	powershell.exe
3308	powershell.exe
3308	powershell.exe
1468	powershell.exe
1468	powershell.exe
4640	powershell.exe
4640	powershell.exe
1640	powershell.exe
1640	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

pid	Process
6116	taskmgr.exe
7104	taskmgr.exe
2248	Regedit.exe
468	BrowserDownloadsView.exe
2456	BrowserDownloadsView.exe
5276	DevManView.exe
6240	ExecutedProgramsList.exe
4280	MUICacheView.exe
4032	JumpListsView.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	taskmgr.exe
Token: SeSystemProfilePrivilege	3176	taskmgr.exe
Token: SeCreateGlobalPrivilege	3176	taskmgr.exe
Token: 33	3176	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3176	taskmgr.exe
Token: SeDebugPrivilege	4224	taskmgr.exe
Token: SeSystemProfilePrivilege	4224	taskmgr.exe
Token: SeCreateGlobalPrivilege	4224	taskmgr.exe
Token: 33	4224	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4224	taskmgr.exe
Token: SeRestorePrivilege	4604	7zG.exe
Token: 35	4604	7zG.exe
Token: SeSecurityPrivilege	4604	7zG.exe
Token: SeSecurityPrivilege	4604	7zG.exe
Token: SeRestorePrivilege	1088	7zG.exe
Token: 35	1088	7zG.exe
Token: SeSecurityPrivilege	1088	7zG.exe
Token: SeSecurityPrivilege	1088	7zG.exe
Token: SeDebugPrivilege	4556	taskmgr.exe
Token: SeSystemProfilePrivilege	4556	taskmgr.exe
Token: SeCreateGlobalPrivilege	4556	taskmgr.exe
Token: 33	4556	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4556	taskmgr.exe
Token: SeRestorePrivilege	3456	7zG.exe
Token: 35	3456	7zG.exe
Token: SeSecurityPrivilege	3456	7zG.exe
Token: SeSecurityPrivilege	3456	7zG.exe
Token: SeDebugPrivilege	3416	Serverfontsaves.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	6104	Serverfontsaves.exe
Token: SeDebugPrivilege	4660	dllhost.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeDebugPrivilege	5948	powershell.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeDebugPrivilege	5584	powershell.exe
Token: SeDebugPrivilege	5256	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	5780	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	6116	taskmgr.exe
Token: SeSystemProfilePrivilege	6116	taskmgr.exe
Token: SeCreateGlobalPrivilege	6116	taskmgr.exe
Token: SeDebugPrivilege	5816	msedge.exe
Token: SeRestorePrivilege	6748	7zG.exe
Token: 35	6748	7zG.exe
Token: SeSecurityPrivilege	6748	7zG.exe
Token: SeSecurityPrivilege	6748	7zG.exe
Token: 33	6116	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4952	DCRat.sfx.exe
4952	DCRat.sfx.exe
4844	DCRat.sfx.exe
4844	DCRat.sfx.exe
3820	OpenWith.exe
2412	shellbag.exe
2412	shellbag.exe
3480	GPU-Z.2.59.0.exe
980	GPU-Z.2.59.0.exe
4704	GPU-Z.2.59.0.exe
4704	GPU-Z.2.59.0.exe
3732	gpuz_installer.exe
4816	gpuz_installer.tmp
5756	GPU-Z.exe
5756	GPU-Z.exe
5756	GPU-Z.exe
5756	GPU-Z.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1480	1284	msedge.exe	82
PID 1284 wrote to memory of 1480	1284	msedge.exe	82
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 4436	1284	msedge.exe	83
PID 1284 wrote to memory of 1516	1284	msedge.exe	84
PID 1284 wrote to memory of 1516	1284	msedge.exe	84
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85
PID 1284 wrote to memory of 4244	1284	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com
1⤵
- DcRat
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e5e046f8,0x7ff9e5e04708,0x7ff9e5e04718
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5592 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6696 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8256 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8560 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8876 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8688 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9144 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9548 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8776 /prefetch:1
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9912 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9808 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10296 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10372 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10496 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10688 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7748655058580427175,17252954933554345630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3256

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3176

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3836

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap12429:72:7zEvent18355
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap2366:68:7zEvent8217
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4280
- C:\Users\Admin\AppData\Local\Temp\katB08E.tmp
  C:\Users\Admin\AppData\Local\Temp\katB08E.tmp
  2⤵
  - Executes dropped EXE
  PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1680
    3⤵
    - Program crash
    PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3996 -ip 3996
1⤵
PID:3156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\DCRAT-Crack-main\" -an -ai#7zMap22980:102:7zEvent1768
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\Desktop\DCRAT-Crack-main\DCRat.exe
"C:\Users\Admin\Desktop\DCRAT-Crack-main\DCRat.exe"
1⤵
- Executes dropped EXE
PID:3864
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIIIllIllIlIIIlIIIIIIlIIIIIIIlllIlllIIIIllIIlIIIllIIlIllllIllIIlllllIlIIllIIIIIIIIIllIlIIIIIllIllIllIIlllIlIIlIllllIIII.jar;lib\IIlIIIlIlIIIIIllllIlIllIlIIIllIlllIllIIIIlllIllIlIllllIIlIlIIIllIIlIlIIllllIlIlIlIIlIlllIlIlIIIlIIIIIIllllllllIlIllIIIIl.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  PID:4992
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\DCRAT-Crack-main\Bypass_license.bat" "
1⤵
PID:4188
- C:\Users\Admin\Desktop\DCRAT-Crack-main\dcrat_updservice.exe
  dcrat_updservice.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  PID:3960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\webintoruntimesvc\QICY7Iox.vbe"
    3⤵
    - Checks computer location settings
    PID:368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\webintoruntimesvc\RfOoYslo.bat" "
      4⤵
      PID:336
    - - C:\webintoruntimesvc\Serverfontsaves.exe
        
        "C:\webintoruntimesvc\Serverfontsaves.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\Serverfontsaves.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wscript.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\OfficeClickToRun.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\wscript.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\DCRat.sfx.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2WOvmLpKwy.bat"
        6⤵
        
        PID:5144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4292
        
        C:\Users\Public\AccountPictures\dllhost.exe
        
        "C:\Users\Public\AccountPictures\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\webintoruntimesvc\file.vbs"
    3⤵
    PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\DCRAT-Crack-main\updatelauncher.bat" "
1⤵
PID:3652
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 3 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:2468
- C:\Users\Admin\Desktop\DCRAT-Crack-main\dcrat_updservice.exe
  "C:\Users\Admin\Desktop\DCRAT-Crack-main\/dcrat_updservice.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  PID:3108
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\webintoruntimesvc\QICY7Iox.vbe"
    3⤵
    - Checks computer location settings
    PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\webintoruntimesvc\RfOoYslo.bat" "
      4⤵
      PID:6032
    - - C:\webintoruntimesvc\Serverfontsaves.exe
        
        "C:\webintoruntimesvc\Serverfontsaves.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\Serverfontsaves.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5584
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cydCZMhLGR.bat"
        6⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5884
        
        C:\Program Files\Windows Multimedia Platform\msedge.exe
        
        "C:\Program Files\Windows Multimedia Platform\msedge.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5816
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\webintoruntimesvc\file.vbs"
    3⤵
    PID:4180

C:\Users\Admin\Desktop\DCRAT-Crack-main\DCRat.sfx.exe
"C:\Users\Admin\Desktop\DCRAT-Crack-main\DCRat.sfx.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Users\Admin\Desktop\DCRAT-Crack-main\DCRat.sfx.exe
"C:\Users\Admin\Desktop\DCRAT-Crack-main\DCRat.sfx.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\webintoruntimesvc\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\webintoruntimesvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\webintoruntimesvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\webintoruntimesvc\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\webintoruntimesvc\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\webintoruntimesvc\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wscript.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\webintoruntimesvc\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\webintoruntimesvc\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\webintoruntimesvc\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\webintoruntimesvc\wscript.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\webintoruntimesvc\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\webintoruntimesvc\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\webintoruntimesvc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\webintoruntimesvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\webintoruntimesvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DCRat.sfxD" /sc MINUTE /mo 11 /tr "'C:\webintoruntimesvc\DCRat.sfx.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DCRat.sfx" /sc ONLOGON /tr "'C:\webintoruntimesvc\DCRat.sfx.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DCRat.sfxD" /sc MINUTE /mo 11 /tr "'C:\webintoruntimesvc\DCRat.sfx.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\95f6663c671e4de7bc806152251dd931 /t 1812 /p 4952
1⤵
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\webintoruntimesvc\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\webintoruntimesvc\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\webintoruntimesvc\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\webintoruntimesvc\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\webintoruntimesvc\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\webintoruntimesvc\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\msedge.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:6116

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\DCRAT-Crack-main\" -an -ai#7zMap27349:102:7zEvent3467
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6748

C:\Users\Admin\Desktop\DCRAT-Crack-main\DCRat.exe
"C:\Users\Admin\Desktop\DCRAT-Crack-main\DCRat.exe"
1⤵
- Executes dropped EXE
PID:752
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIIIllIllIlIIIlIIIIIIlIIIIIIIlllIlllIIIIllIIlIIIllIIlIllllIllIIlllllIlIIllIIIIIIIIIllIlIIIIIllIllIllIIlllIlIIlIllllIIII.jar;lib\IIlIIIlIlIIIIIllllIlIllIlIIIllIlllIllIIIIlllIllIlIllllIIlIlIIIllIIlIlIIllllIlIlIlIIlIlllIlIlIIIlIIIIIIllllllllIlIllIIIIl.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  PID:212

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\004e1b5c7c5c43ea874cc06db31926c0 /t 2024 /p 4844
1⤵
PID:6772

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11819:68:7zEvent150
1⤵
PID:5240

C:\Users\Admin\Desktop\dcrat_updservice.exe
"C:\Users\Admin\Desktop\dcrat_updservice.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:6904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\webintoruntimesvc\QICY7Iox.vbe"
  2⤵
  - Checks computer location settings
  PID:6920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\webintoruntimesvc\RfOoYslo.bat" "
    3⤵
    PID:3192
  - - C:\webintoruntimesvc\Serverfontsaves.exe
      "C:\webintoruntimesvc\Serverfontsaves.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      PID:5096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\Serverfontsaves.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\webintoruntimesvc\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\Serverfontsaves.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6192
    - - C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5672
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\757197a3-0a25-4982-bd24-4a26bb7bdd71.vbs"
        6⤵
        
        PID:3964
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fcf8f80-bf11-4669-86aa-43d58040c522.vbs"
        8⤵
        
        PID:6236
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eb4d788-0236-49c5-8c8e-f5dc7aadf7a0.vbs"
        10⤵
        
        PID:6228
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\960569fb-4169-4086-9e70-715ecf617cf8.vbs"
        12⤵
        
        PID:6368
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\901b7450-25fe-4b93-8a49-cbe38a434bf5.vbs"
        14⤵
        
        PID:1784
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a341123-fbac-4f03-8c83-a64fb939bf8a.vbs"
        16⤵
        
        PID:6524
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47768a9a-14ce-4659-8ea0-fe6fa5755922.vbs"
        18⤵
        
        PID:5348
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fbce369-269c-4a9d-a49e-806730b705b7.vbs"
        20⤵
        
        PID:6572
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        21⤵
        Executes dropped EXE
        
        PID:6860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1cc575a-43a6-47aa-9dc6-d083091e03af.vbs"
        20⤵
        
        PID:6548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\503c8640-738f-4815-969d-17554abceb87.vbs"
        18⤵
        
        PID:6440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1650be2-c88c-4dcc-b786-a33a36d6ebaf.vbs"
        16⤵
        
        PID:5656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b001bdec-7b0e-4759-bf81-93001285d110.vbs"
        14⤵
        
        PID:6444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dc5b423-1547-45ad-9ff1-b5d66cbf9bbe.vbs"
        12⤵
        
        PID:5444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a1abd79-4f5a-4101-b6a6-8d8c5c3a448b.vbs"
        10⤵
        
        PID:5360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4d1fc08-dbae-400c-bf68-71cd15276edf.vbs"
        8⤵
        
        PID:5960
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efa53c6d-a528-4aca-9952-dc81b1d16e1e.vbs"
        6⤵
        
        PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\webintoruntimesvc\file.vbs"
  2⤵
  PID:5592

C:\Users\Admin\Desktop\DCRat.exe
"C:\Users\Admin\Desktop\DCRat.exe"
1⤵
- Executes dropped EXE
PID:3660
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIIIllIllIlIIIlIIIIIIlIIIIIIIlllIlllIIIIllIIlIIIllIIlIllllIllIIlllllIlIIllIIIIIIIIIllIlIIIIIllIllIllIIlllIlIIlIllllIIII.jar;lib\IIlIIIlIlIIIIIllllIlIllIlIIIllIlllIllIIIIlllIllIlIllllIIlIlIIIllIIlIlIIllllIlIlIlIIlIlllIlIlIIIlIIIIIIllllllllIlIllIIIIl.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  PID:6936

C:\Users\Admin\Desktop\DCRat.exe
"C:\Users\Admin\Desktop\DCRat.exe"
1⤵
- Executes dropped EXE
PID:1812
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIIIllIllIlIIIlIIIIIIlIIIIIIIlllIlllIIIIllIIlIIIllIIlIllllIllIIlllllIlIIllIIIIIIIIIllIlIIIIIllIllIllIIlllIlIIlIllllIIII.jar;lib\IIlIIIlIlIIIIIllllIlIllIlIIIllIlllIllIIIIlllIllIlIllllIIlIlIIIllIIlIlIIllllIlIlIlIIlIlllIlIlIIIlIIIIIIllllllllIlIllIIIIl.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  PID:1980

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
PID:7104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:6424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\webintoruntimesvc\Idle.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\webintoruntimesvc\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\webintoruntimesvc\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerfontsavesS" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\Sorting\Serverfontsaves.exe'" /f
1⤵
- DcRat
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Serverfontsaves" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\Serverfontsaves.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerfontsavesS" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\Sorting\Serverfontsaves.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4556

C:\webintoruntimesvc\wscript.exe
C:\webintoruntimesvc\wscript.exe
1⤵
- Executes dropped EXE
PID:6792

C:\webintoruntimesvc\sppsvc.exe
C:\webintoruntimesvc\sppsvc.exe
1⤵
- Executes dropped EXE
PID:2860

C:\webintoruntimesvc\taskhostw.exe
C:\webintoruntimesvc\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1616

C:\webintoruntimesvc\OfficeClickToRun.exe
C:\webintoruntimesvc\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
PID:6408

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5524
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d0d25aa-9dc8-4d67-b78c-360965ddbb04.vbs"
  2⤵
  PID:7024
- - C:\Recovery\WindowsRE\csrss.exe
    C:\Recovery\WindowsRE\csrss.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    PID:2960
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44a174e5-dbc5-4caf-97a7-ccee38b462bd.vbs"
      4⤵
      PID:3740
    - - C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0952c0c9-fc9e-4a1a-8e52-bec86f6f9f50.vbs"
        6⤵
        
        PID:2868
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cde391ee-7150-4f3e-a6e9-7ae3a83f202a.vbs"
        8⤵
        
        PID:936
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcd64038-f0b8-4c01-86a3-61a5ed08cde5.vbs"
        10⤵
        
        PID:3584
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e3a0055-a7c3-457b-bf75-a9d0331415d6.vbs"
        12⤵
        
        PID:5364
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94bb254b-d834-49f8-ac6b-88af5b3957bc.vbs"
        14⤵
        
        PID:5712
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7532cc4-a59e-4adf-a51d-a845f2520617.vbs"
        16⤵
        
        PID:4004
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\411a4ac2-e21c-4bb9-897e-38896dd294c8.vbs"
        18⤵
        
        PID:6332
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb810c19-0dc3-4ea1-8f40-6980697451cc.vbs"
        20⤵
        
        PID:5436
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e4394e8-a391-4be0-b209-e8f55cca56b7.vbs"
        22⤵
        
        PID:5848
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f703802f-01b5-437d-a8b1-d7bb7e0e9a33.vbs"
        24⤵
        
        PID:4048
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c424fc54-9abe-4e05-81cf-d0cf4f1cc0d2.vbs"
        26⤵
        
        PID:6816
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aa4f30d-c8ac-4a65-bddf-ddc94859e9b8.vbs"
        28⤵
        
        PID:6876
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dab304e8-29e4-4578-86b5-11354ef98c18.vbs"
        30⤵
        
        PID:5676
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c68a420-e154-4c2b-8bb9-db3d17f8c534.vbs"
        32⤵
        
        PID:7088
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f33dfa68-0bd0-4fa4-ad55-362971a51e07.vbs"
        34⤵
        
        PID:3948
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d836392-3c0a-45d0-b104-b423a8660d56.vbs"
        36⤵
        
        PID:4340
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94516e43-eff0-4e10-8e06-e114c16988aa.vbs"
        38⤵
        
        PID:4396
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9526f69-9217-41dd-a6d0-a0fe08ceaa41.vbs"
        40⤵
        
        PID:1552
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79643c5e-e4e5-4f7c-ac02-5127e08e6394.vbs"
        42⤵
        
        PID:516
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1665fde8-31e1-4c06-8509-97097671295e.vbs"
        44⤵
        
        PID:2272
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e76683b5-5cde-4f45-a1df-a9e619911db1.vbs"
        46⤵
        
        PID:4860
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1369c1dd-98c2-42c8-99c4-85fd3dbff844.vbs"
        48⤵
        
        PID:6616
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        49⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e505c3-48d1-4c6d-8051-d67b0436c6bc.vbs"
        48⤵
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8c3eb01-f836-4742-8f56-22b21f15f384.vbs"
        46⤵
        
        PID:652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8839e269-8444-4bd2-9582-0e37da87ab90.vbs"
        44⤵
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d506285b-6277-4a0d-8362-ed80913e13ce.vbs"
        42⤵
        
        PID:5924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb7b2741-0d08-4f6f-a983-348b49c7eefe.vbs"
        40⤵
        
        PID:4916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95913ad9-f3b0-43d7-a422-5539fb789a14.vbs"
        38⤵
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8bc5173-fd0a-47d5-8981-ef2c43f58b09.vbs"
        36⤵
        
        PID:6976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f54ec7e-351c-40e6-a155-e8567732294c.vbs"
        34⤵
        
        PID:5480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e4ce053-3901-4723-b12b-428af6c425c2.vbs"
        32⤵
        
        PID:3892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e735bfc-cccf-44c9-b1cd-58cc286eade4.vbs"
        30⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71877e3d-01b6-4994-916a-e99fa635c56e.vbs"
        28⤵
        
        PID:3632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80e6c085-5aa7-4518-865c-240bf4998fbe.vbs"
        26⤵
        
        PID:620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47efabba-62dc-45e8-8df4-67c14affd3c0.vbs"
        24⤵
        
        PID:6540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42aa34e0-f1ea-4c60-9854-88bf2047720a.vbs"
        22⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c85c122-0634-4b38-ad42-310a4950a6e7.vbs"
        20⤵
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e436cca5-8228-404f-a724-ff27d79ea72d.vbs"
        18⤵
        
        PID:3324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9b42eeb-21e9-4d40-9910-2cbba90d6135.vbs"
        16⤵
        
        PID:5456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9197ff0e-f1f7-4b6f-bc22-9b1ad5bf4276.vbs"
        14⤵
        
        PID:6044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d3c0f9c-440f-4bcf-8624-4e8c3b0b618f.vbs"
        12⤵
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bbe7cfe-f64d-4a93-9995-4b49b14880ee.vbs"
        10⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04ca5416-b942-482b-8dbd-a4c224c9c8c0.vbs"
        8⤵
        
        PID:5248
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee77c6b0-1a3e-4aa2-b2c6-8fc9e66040c6.vbs"
        6⤵
        
        PID:3776
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ace84537-8408-4d3e-9c9f-4962d404cf09.vbs"
      4⤵
      PID:5212
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a70c6fd8-1b8d-464e-b72b-d700a68db63e.vbs"
  2⤵
  PID:6820

C:\Recovery\WindowsRE\TextInputHost.exe
C:\Recovery\WindowsRE\TextInputHost.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9e5a7ab58,0x7ff9e5a7ab68,0x7ff9e5a7ab78
  2⤵
  PID:6592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:2
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1396 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:6380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3988 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4324 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4776 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3376 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3404 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:6868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:6896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5240 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5436 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5596 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5748 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:6768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5824 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5252 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5268 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:6340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5016 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:6152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5416 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5624 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5960 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3044 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Users\Admin\Downloads\SC INSTALLER.exe
  "C:\Users\Admin\Downloads\SC INSTALLER.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies Control Panel
  PID:1684
- - C:\Users\Admin\Downloads\SC INSTALLER.exe
    "C:\Users\Admin\Downloads\SC INSTALLER.exe" /i "C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\install\51B5780\SandeLLoCHECKER_Installer.msi" AI_EUIMSI=1 APPDIR="C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER" SHORTCUTDIR="C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER" SECONDSEQUENCE="1" CLIENTPROCESSID="1684" CHAINERUIPROCESSID="1684Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_DETECTED_DOTNET_VERSION="4.8" AI_DETECTED_PHYSICAL_MEMORY="8192" AI_SETUPEXEPATH="C:\Users\Admin\Downloads\SC INSTALLER.exe" SETUPEXEDIR="C:\Users\Admin\Downloads\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1715038523 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\Downloads\SC INSTALLER.exe" TARGETDIR="F:\" AI_INSTALL="1"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5504 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:2
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4936 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1876,i,16531257054205429128,15879423768598939195,131072 /prefetch:8
  2⤵
  PID:7084

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x498
1⤵
PID:6912

C:\webintoruntimesvc\wscript.exe
C:\webintoruntimesvc\wscript.exe
1⤵
- Executes dropped EXE
PID:1516

C:\webintoruntimesvc\sppsvc.exe
C:\webintoruntimesvc\sppsvc.exe
1⤵
- Executes dropped EXE
PID:6468

C:\webintoruntimesvc\taskhostw.exe
C:\webintoruntimesvc\taskhostw.exe
1⤵
- Executes dropped EXE
PID:932

C:\webintoruntimesvc\OfficeClickToRun.exe
C:\webintoruntimesvc\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
PID:6688

C:\Windows\uk-UA\sihost.exe
C:\Windows\uk-UA\sihost.exe
1⤵
- Executes dropped EXE
PID:6224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:1076
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0406E92DB4242FBA4BFE984567527C08 C
  2⤵
  - Loads dropped DLL
  PID:6560
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D99A6F106FE0254C3F5B281B8888EA0C
  2⤵
  - Loads dropped DLL
  PID:3932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:452

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:6612
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c7aa960-d47e-4b63-b01b-b01bec4030ba.vbs"
  2⤵
  PID:1916
- - C:\Recovery\WindowsRE\csrss.exe
    C:\Recovery\WindowsRE\csrss.exe
    3⤵
    - Executes dropped EXE
    PID:6188
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf33258d-ff9c-4d9b-84ab-9db9641cb8cf.vbs"
  2⤵
  PID:7060

C:\webintoruntimesvc\DCRat.sfx.exe
C:\webintoruntimesvc\DCRat.sfx.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SandeLLo CHECKER.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SandeLLo CHECKER.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6304

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SandeLLo CHECKER.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SandeLLo CHECKER.exe"
1⤵
- Loads dropped DLL
PID:5952

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SandeLLo CHECKER.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SandeLLo CHECKER.exe"
1⤵
- Loads dropped DLL
PID:5132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SelfUpdate\AppUpdater.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SelfUpdate\AppUpdater.exe"
1⤵
- Loads dropped DLL
PID:5900

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SelfUpdate\AppUpdater.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SelfUpdate\AppUpdater.exe"
1⤵
- Loads dropped DLL
PID:6884

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SandeLLo CHECKER.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\SandeLLo CHECKER.exe"
1⤵
- Loads dropped DLL
PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Extras\reg2.bat" "
1⤵
PID:6544
- C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Extras\regjump.exe
  regjump HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView
  2⤵
  PID:1436
- - C:\Windows\Regedit.exe
    C:\Windows\Regedit.exe
    3⤵
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2248

C:\Recovery\WindowsRE\TextInputHost.exe
C:\Recovery\WindowsRE\TextInputHost.exe
1⤵
- Checks computer location settings
- Modifies registry class
PID:1088
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735b7d05-1a6b-45e0-90b3-4035e8ff66ee.vbs"
  2⤵
  PID:6652
- - C:\Recovery\WindowsRE\TextInputHost.exe
    C:\Recovery\WindowsRE\TextInputHost.exe
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:4188
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dcb83b8-1ba4-4b38-b4a7-a0a942d02f39.vbs"
      4⤵
      PID:6968
    - - C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2820
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e051a56a-b198-4828-be51-92989f27de13.vbs"
        6⤵
        
        PID:6028
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ed25d5e-d892-43f8-b831-8d83eb38b645.vbs"
        8⤵
        
        PID:6164
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        9⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb97fb61-11e7-49c1-a02a-60a192a6d638.vbs"
        10⤵
        
        PID:5700
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        11⤵
        Checks computer location settings
        Modifies registry class
        
        PID:704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bb837b6-b402-4b9d-98b7-9407e19be2cf.vbs"
        12⤵
        
        PID:7024
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        13⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5349368-d6e6-4a29-bc86-ac6c047e6884.vbs"
        14⤵
        
        PID:980
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        15⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80a59cbf-0f46-43b2-9c58-145cef474a1a.vbs"
        16⤵
        
        PID:5744
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        17⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ea5fc3c-9815-43bc-b86e-c2e6df773aad.vbs"
        18⤵
        
        PID:2248
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        19⤵
        Checks computer location settings
        Modifies registry class
        
        PID:7116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f325c84a-abbc-4ac9-8796-9e4cd99f8c8b.vbs"
        20⤵
        
        PID:1088
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        21⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b72c49d4-4e94-4a63-8f2c-7182a242a06a.vbs"
        22⤵
        
        PID:6424
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        23⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\183676cc-f22b-43a4-98c6-e38dae5da48c.vbs"
        24⤵
        
        PID:5240
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        25⤵
        
        PID:4108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db7acba9-75dc-485f-a3db-374d1d9470ac.vbs"
        24⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\043a1a7a-e6f0-430d-8415-e3f7ef13fd30.vbs"
        22⤵
        
        PID:6300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a701609-b507-45a0-a67c-099fc660df81.vbs"
        20⤵
        
        PID:6876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b110f998-eee4-44e9-97d5-99141f974b0f.vbs"
        18⤵
        
        PID:5244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a15a0510-2811-4bb5-bced-03880175f06e.vbs"
        16⤵
        
        PID:6304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24af5bd3-79fb-4354-86a7-99636c189a2c.vbs"
        14⤵
        
        PID:3628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abb5be50-7bab-4d1c-be5d-accca381fddc.vbs"
        12⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7657456f-45af-4503-814c-e277d25de3fa.vbs"
        10⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1725f00d-068f-4fbc-b9d8-752b8b0e0043.vbs"
        8⤵
        
        PID:5500
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e2db9f8-3a18-43af-a0de-b1494363c35c.vbs"
        6⤵
        
        PID:1768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ca27bdb-83eb-4940-9a7d-dacc2d05af44.vbs"
      4⤵
      PID:5448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd4ff4d8-30e3-483f-9649-cfcd1f013752.vbs"
  2⤵
  PID:2284

C:\webintoruntimesvc\Idle.exe
C:\webintoruntimesvc\Idle.exe
1⤵
PID:2460

C:\Windows\ServiceProfiles\LocalService\winlogon.exe
C:\Windows\ServiceProfiles\LocalService\winlogon.exe
1⤵
PID:7076

C:\webintoruntimesvc\dllhost.exe
C:\webintoruntimesvc\dllhost.exe
1⤵
PID:6360

C:\Program Files (x86)\Mozilla Maintenance Service\msedge.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\msedge.exe"
1⤵
PID:4224

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\BrowserDownloadsView.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\BrowserDownloadsView.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:468

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\shellbag.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\shellbag.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\BrowserDownloadsView.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\BrowserDownloadsView.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2456

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\DevManView.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\DevManView.exe"
1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:5276

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\ExecutedProgramsList.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\ExecutedProgramsList.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:6240

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\MUICacheView.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\MUICacheView.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4280

C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\JumpListsView.exe
"C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\Apps\JumpListsView.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4032

C:\webintoruntimesvc\wscript.exe
C:\webintoruntimesvc\wscript.exe
1⤵
- Checks computer location settings
- Modifies registry class
PID:2364
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42dd8d69-720e-4c44-868f-2112c101a287.vbs"
  2⤵
  PID:6396
- - C:\webintoruntimesvc\wscript.exe
    C:\webintoruntimesvc\wscript.exe
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:6928
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ae6937-68c8-4541-9617-bc63eb52cf9f.vbs"
      4⤵
      PID:5932
    - - C:\webintoruntimesvc\wscript.exe
        
        C:\webintoruntimesvc\wscript.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6868
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05071726-0b5c-4b83-92cb-bde9c22de939.vbs"
        6⤵
        
        PID:6788
        
        C:\webintoruntimesvc\wscript.exe
        
        C:\webintoruntimesvc\wscript.exe
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:7156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9febf5ad-83e2-455c-a753-c0cc83669dcd.vbs"
        8⤵
        
        PID:6636
        
        C:\webintoruntimesvc\wscript.exe
        
        C:\webintoruntimesvc\wscript.exe
        9⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5438a647-ff8c-49e7-8f38-b09c670f3bf0.vbs"
        10⤵
        
        PID:628
        
        C:\webintoruntimesvc\wscript.exe
        
        C:\webintoruntimesvc\wscript.exe
        11⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44f8ff61-a0cc-41cc-976e-478c598f2e0c.vbs"
        12⤵
        
        PID:2940
        
        C:\webintoruntimesvc\wscript.exe
        
        C:\webintoruntimesvc\wscript.exe
        13⤵
        
        PID:6884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1c15061-9b11-4867-a786-afc158c8781b.vbs"
        12⤵
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5a36238-437d-43cc-9fc0-889e83ec0a2a.vbs"
        10⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f006aed-0e44-4b7d-8556-b9abe43aae72.vbs"
        8⤵
        
        PID:1904
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17569032-5a70-4aec-b021-e3bdfa739aed.vbs"
        6⤵
        
        PID:1348
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2f6dafa-5984-4634-b4eb-1a4a3be1f1ad.vbs"
      4⤵
      PID:6476
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5169cb10-1e8b-4f58-82f1-97ad8b7040fa.vbs"
  2⤵
  PID:4344

C:\webintoruntimesvc\sppsvc.exe
C:\webintoruntimesvc\sppsvc.exe
1⤵
PID:5044

C:\webintoruntimesvc\taskhostw.exe
C:\webintoruntimesvc\taskhostw.exe
1⤵
PID:888

C:\webintoruntimesvc\OfficeClickToRun.exe
C:\webintoruntimesvc\OfficeClickToRun.exe
1⤵
PID:4104

C:\Windows\Globalization\Sorting\Serverfontsaves.exe
C:\Windows\Globalization\Sorting\Serverfontsaves.exe
1⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ff9e5e046f8,0x7ff9e5e04708,0x7ff9e5e04718
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:6580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1
  2⤵
  PID:7028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:1
  2⤵
  PID:7164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:6396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  PID:2456
- C:\Users\Admin\Downloads\GPU-Z.2.59.0.exe
  "C:\Users\Admin\Downloads\GPU-Z.2.59.0.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3480
- C:\Users\Admin\Downloads\GPU-Z.2.59.0.exe
  "C:\Users\Admin\Downloads\GPU-Z.2.59.0.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13083777063469456932,12642585048910207518,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4048 /prefetch:2
  2⤵
  PID:5848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1440

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Checks computer location settings
- Modifies registry class
PID:6888
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a359495d-a8cd-4202-8b26-9dc43afcbc6d.vbs"
  2⤵
  PID:1964
- - C:\Recovery\WindowsRE\csrss.exe
    C:\Recovery\WindowsRE\csrss.exe
    3⤵
    PID:2920
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\295b35d5-4cb1-494f-9bfe-53b87d6429f4.vbs"
  2⤵
  PID:6148

C:\Users\Default User\SppExtComObj.exe
"C:\Users\Default User\SppExtComObj.exe"
1⤵
PID:808

C:\Users\Admin\Downloads\GPU-Z.2.59.0.exe
"C:\Users\Admin\Downloads\GPU-Z.2.59.0.exe"
1⤵
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4704
- C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\\gpuz_installer.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\is-L12O9.tmp\gpuz_installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-L12O9.tmp\gpuz_installer.tmp" /SL5="$110562,832512,832512,C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:4816
  - - C:\Program Files (x86)\GPU-Z\GPU-Z.exe
      "C:\Program Files (x86)\GPU-Z\GPU-Z.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery