netwire | hxxp://e

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	464	7016	rundll32.exe	967

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/6160-6122-0x00000000055D0000-0x00000000055F8000-memory.dmp	rezer0

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3829	464	rundll32.exe

Contacts a large (779) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5996	attrib.exe
6564	attrib.exe
4632	attrib.exe
2504	attrib.exe
4348	attrib.exe
3840	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Control Panel\International\Geo\Nation	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Control Panel\International\Geo\Nation	PCHelpSoftDriverUpdater.exe

Executes dropped EXE 28 IoCs

pid	Process
2260	Driver_Updater_setup.exe
4704	Driver_Updater_setup.tmp
2744	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
4352	DriverPro.exe
1100	PCHelpSoftDriverUpdater.exe
2396	PCHelpSoftDriverUpdater.exe
1252	XModz Mod Menu.exe
1376	XModz Mod Menu.exe
2832	XModz Mod Menu.exe
5696	XModz Mod Menu.exe
5652	XModz Mod Menu.exe
6308	XModz Mod Menu.exe
5212	OperaGXSetup.exe
5404	OperaGXSetup.exe
7128	OperaGXSetup.exe
6792	OperaGXSetup.exe
2312	OperaGXSetup.exe
5348	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
4940	assistant_installer.exe
896	assistant_installer.exe
3600	msload.exe
6004	msload.exe
5456	Userdata.exe
6512	Server.exe
3096	winupdate.exe
4752	winupdate.exe
72	Free YouTube Downloader.exe

Loads dropped DLL 22 IoCs

pid	Process
2744	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
4352	DriverPro.exe
3260	PCHelpSoftDriverUpdater.exe
1100	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
2396	PCHelpSoftDriverUpdater.exe
1252	XModz Mod Menu.exe
1376	XModz Mod Menu.exe
2832	XModz Mod Menu.exe
5696	XModz Mod Menu.exe
1376	XModz Mod Menu.exe
1376	XModz Mod Menu.exe
1376	XModz Mod Menu.exe
1376	XModz Mod Menu.exe
5652	XModz Mod Menu.exe
5212	OperaGXSetup.exe
5404	OperaGXSetup.exe
7128	OperaGXSetup.exe
6792	OperaGXSetup.exe
2312	OperaGXSetup.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-6332-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1688-6411-0x00000000000D0000-0x000000000070D000-memory.dmp	upx
behavioral1/memory/1688-6499-0x00000000000D0000-0x000000000070D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACCOUNTACCESSOR = "C:\\WINDOWS\\ACCOUNTACCESSOR.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\DEFAULTPRINTERPROVIDER = "C:\\WINDOWS\\DEFAULTPRINTERPROVIDER.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mod Menu = "C:\\Users\\Admin\\AppData\\Roaming\\Mod Menu\\XModz Mod Menu.exe"	Mod Menu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DISKUSAGE = "C:\\WINDOWS\\DISKUSAGE.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\CURL = "C:\\WINDOWS\\CURL.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\COMRES = "C:\\WINDOWS\\COMRES.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\RAT\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	OperaGXSetup.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
585	raw.githubusercontent.com
586	raw.githubusercontent.com
587	raw.githubusercontent.com
588	raw.githubusercontent.com
2507	drive.google.com
2514	drive.google.com
3650	drive.google.com
321	raw.githubusercontent.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1688-6411-0x00000000000D0000-0x000000000070D000-memory.dmp	autoit_exe
behavioral1/memory/1688-6499-0x00000000000D0000-0x000000000070D000-memory.dmp	autoit_exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	PCHelpSoftDriverUpdater.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF	PCHelpSoftDriverUpdater.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3792 set thread context of 6532	3792	NetWire.exe	594
PID 5456 set thread context of 6800	5456	Userdata.exe	862
PID 6160 set thread context of 5088	6160	WarzoneRAT.exe	871
PID 1688 set thread context of 4864	1688	VeryFun.exe	1108
PID 1688 set thread context of 6148	1688	VeryFun.exe	1109

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-N3B7S.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-9PJEU.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-R73QG.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-5RKCG.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-JQVTL.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-173FR.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-OS97R.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\English.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\DriverPro.exe	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\stub64.exe	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-S4K2B.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Finnish.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\French.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\7z.dll	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-1FHG6.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-KSO7S.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-ENTR4.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-KN87F.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-6PM3B.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\unins000.dat	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-UJV2A.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-046A4.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-4IQKC.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Polish.ini	DriverPro.exe
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-T7TUO.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-V594L.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\unins000.dat	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-IM0K3.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-AC7C5.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-KGIPJ.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\unins000.msg	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-TOR4C.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-JIBR4.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Swedish.ini	DriverPro.exe
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-9EL78.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\German.ini	DriverPro.exe
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-JBLS4.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-LT9ST.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\HDMSchedule.exe	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\PCHelpSoftDriverUpdater.exe	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Japanese.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Russian.ini	DriverPro.exe
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-AFNI6.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Dutch.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Italian.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Portuguese.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Settings.ini	DriverPro.exe
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-OAHGH.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-DQGRT.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-B39GG.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-J3D8T.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-HTRRS.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-JJ1N5.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-H7GPD.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Brazilian.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\PlayaSDK.dll	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-R31NL.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-8CVMD.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\is-KDMJG.tmp	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-EITUE.tmp	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\Norwegian.ini	DriverPro.exe
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\sqlite3.dll	Driver_Updater_setup.tmp
File opened for modification	C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\sqlite3.dll	Driver_Updater_setup.tmp
File created	C:\Program Files (x86)\PC HelpSoft Driver Updater\is-91CTH.tmp	Driver_Updater_setup.tmp

Drops file in Windows directory 49 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\MPREXE.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\msload.exe	msload.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File created	C:\WINDOWS\COMRES.EXE	Opaserv.l.exe
File created	C:\WINDOWS\ACCOUNTACCESSOR.EXE	Opaserv.l.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe
File created	C:\Windows\INF\c_media.PNF	PCHelpSoftDriverUpdater.exe
File opened for modification	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	Opaserv.l.exe
File created	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\INF\c_monitor.PNF	PCHelpSoftDriverUpdater.exe
File created	C:\WINDOWS\DISKUSAGE.EXE	Opaserv.l.exe
File created	C:\Windows\INF\c_diskdrive.PNF	PCHelpSoftDriverUpdater.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\WINDOWS\ACCOUNTACCESSOR.EXE	Opaserv.l.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File created	C:\Windows\INF\c_volume.PNF	PCHelpSoftDriverUpdater.exe
File created	C:\Windows\INF\c_display.PNF	PCHelpSoftDriverUpdater.exe
File created	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File created	C:\Windows\INF\c_processor.PNF	PCHelpSoftDriverUpdater.exe
File opened for modification	C:\WINDOWS\COMRES.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\DISKUSAGE.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	msload.exe
File opened for modification	C:\WINDOWS\CURL.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\DEFAULTPRINTERPROVIDER.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	msload.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	msload.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	msload.exe
File opened for modification	C:\Windows\MSBIND.DLL	Opaserv.l.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File created	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File created	C:\WINDOWS\CURL.EXE	Opaserv.l.exe
File created	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	msload.exe
File opened for modification	C:\Windows\System.ini	VeryFun.exe
File created	C:\WINDOWS\DEFAULTPRINTERPROVIDER.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	msload.exe
File opened for modification	\??\c:\windows\system\msload.exe	msload.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1724	6444	WerFault.exe	255
1932	3800	WerFault.exe	260

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceCharacteristics	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UINumberDescFormat	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0004	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ParentIdPrefix	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0003	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ParentIdPrefix	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceCharacteristics	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0004	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	PCHelpSoftDriverUpdater.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	PCHelpSoftDriverUpdater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	PCHelpSoftDriverUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	PCHelpSoftDriverUpdater.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.HDM_encrypted\OpenWithProgids\PCHelpSoftDriverUpdater.HDM_encrypted	Driver_Updater_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).top = "71"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).y = "4294967295"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PCHelpSoftDriverUpdater.HDM_encrypted	Driver_Updater_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCHelpSoftDriverUpdater.HDM_encrypted\shell\open\command	Driver_Updater_setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\PCHelpSoftDriverUpdater.exe\SupportedTypes	Driver_Updater_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\pchsdriver\URL Protocol	PCHelpSoftDriverUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.HDM_encrypted\OpenWithProgids	Driver_Updater_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	Driver_Updater_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\pchsdriver	PCHelpSoftDriverUpdater.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.HDM_encrypted	Driver_Updater_setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PCHelpSoftDriverUpdater.HDM_encrypted\shell\open\command	Driver_Updater_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCHelpSoftDriverUpdater.HDM_encrypted\ = "PC HelpSoft Driver Updater Protected File"	Driver_Updater_setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PCHelpSoftDriverUpdater.HDM_encrypted\DefaultIcon	Driver_Updater_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCHelpSoftDriverUpdater.HDM_encrypted\shell\open	Driver_Updater_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\pchsdriver\ = "URL: Driver Updater Protocol"	PCHelpSoftDriverUpdater.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCHelpSoftDriverUpdater.HDM_encrypted	Driver_Updater_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCHelpSoftDriverUpdater.HDM_encrypted\shell	Driver_Updater_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PCHelpSoftDriverUpdater.exe\SupportedTypes\.HDM_encrypted	Driver_Updater_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PCHelpSoftDriverUpdater.exe\SupportedTypes	Driver_Updater_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\pchsdriver\shell	PCHelpSoftDriverUpdater.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).bottom = "671"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).left = "191"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\pchsdriver\shell\open	PCHelpSoftDriverUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\pchsdriver\shell\open\command\ = "\"C:\\Program Files (x86)\\PC HelpSoft Driver Updater\\PCHelpSoftDriverUpdater.exe\" \"%1\""	PCHelpSoftDriverUpdater.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "12"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.HDM_encrypted\OpenWithProgids	Driver_Updater_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCHelpSoftDriverUpdater.HDM_encrypted\shell\open\command\ = "\"C:\\Program Files (x86)\\PC HelpSoft Driver Updater\\Extra\\DriverPro.exe\" \"%1\""	Driver_Updater_setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-423582142-4191893794-1888535462-1000\{32B04EDC-6F2E-43FE-BAAE-F339D7A53F66}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).right = "991"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCHelpSoftDriverUpdater.HDM_encrypted\DefaultIcon\ = "C:\\Program Files (x86)\\PC HelpSoft Driver Updater\\PCHelpSoftDriverUpdater.exe,0"	Driver_Updater_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PCHelpSoftDriverUpdater.exe	Driver_Updater_setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell	explorer.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

pid	Process
112	reg.exe
3508	reg.exe
4688	reg.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 627046.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Mod.Menu.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 639634.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe\:SmartScreen:$DATA	OperaGXSetup.exe
File created	C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe\:Zone.Identifier:$DATA	OperaGXSetup.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 385991.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Driver_Updater_setup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier	msedge.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4344	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
464	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
6208	explorer.exe
7016	WINWORD.EXE
7016	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3000	msedge.exe
3000	msedge.exe
2312	msedge.exe
2312	msedge.exe
2536	identity_helper.exe
2536	identity_helper.exe
1864	msedge.exe
1864	msedge.exe
2660	msedge.exe
2660	msedge.exe
4704	Driver_Updater_setup.tmp
4704	Driver_Updater_setup.tmp
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
2744	PCHelpSoftDriverUpdater.exe
4352	DriverPro.exe
4352	DriverPro.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
3260	PCHelpSoftDriverUpdater.exe
1100	PCHelpSoftDriverUpdater.exe
1100	PCHelpSoftDriverUpdater.exe
4532	msedge.exe
4532	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
6208	explorer.exe
6800	iexplore.exe
3700	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	PCHelpSoftDriverUpdater.exe
Token: SeIncreaseQuotaPrivilege	2744	PCHelpSoftDriverUpdater.exe
Token: SeImpersonatePrivilege	2744	PCHelpSoftDriverUpdater.exe
Token: SeLoadDriverPrivilege	2744	PCHelpSoftDriverUpdater.exe
Token: SeDebugPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeIncreaseQuotaPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeImpersonatePrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeLoadDriverPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeDebugPrivilege	1100	PCHelpSoftDriverUpdater.exe
Token: SeIncreaseQuotaPrivilege	1100	PCHelpSoftDriverUpdater.exe
Token: SeImpersonatePrivilege	1100	PCHelpSoftDriverUpdater.exe
Token: SeLoadDriverPrivilege	1100	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	3260	PCHelpSoftDriverUpdater.exe
Token: SeDebugPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeIncreaseQuotaPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeImpersonatePrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeLoadDriverPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeBackupPrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeRestorePrivilege	2396	PCHelpSoftDriverUpdater.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe
Token: SeShutdownPrivilege	1252	XModz Mod Menu.exe
Token: SeCreatePagefilePrivilege	1252	XModz Mod Menu.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
4704	Driver_Updater_setup.tmp
1100	PCHelpSoftDriverUpdater.exe
1100	PCHelpSoftDriverUpdater.exe
1100	PCHelpSoftDriverUpdater.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
1100	PCHelpSoftDriverUpdater.exe
1100	PCHelpSoftDriverUpdater.exe
1100	PCHelpSoftDriverUpdater.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4240	WindowsUpdate.exe
4240	WindowsUpdate.exe
4240	WindowsUpdate.exe
4240	WindowsUpdate.exe
4240	WindowsUpdate.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
5212	OperaGXSetup.exe
6800	iexplore.exe
7012	VanToM-Rat.bat
6512	Server.exe
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
7016	WINWORD.EXE
948	FreeYoutubeDownloader.exe
1688	VeryFun.exe
4864	cmd.exe
6148	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2640	3000	msedge.exe	79
PID 3000 wrote to memory of 2640	3000	msedge.exe	79
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 1424	3000	msedge.exe	80
PID 3000 wrote to memory of 3464	3000	msedge.exe	81
PID 3000 wrote to memory of 3464	3000	msedge.exe	81
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82
PID 3000 wrote to memory of 2116	3000	msedge.exe	82

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4632	attrib.exe
2504	attrib.exe
4348	attrib.exe
3840	attrib.exe
5996	attrib.exe
6564	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://e
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff297c3cb8,0x7fff297c3cc8,0x7fff297c3cd8
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8144 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Users\Admin\Downloads\Driver_Updater_setup.exe
  "C:\Users\Admin\Downloads\Driver_Updater_setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\is-LC3FU.tmp\Driver_Updater_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LC3FU.tmp\Driver_Updater_setup.tmp" /SL5="$70216,5837648,810496,C:\Users\Admin\Downloads\Driver_Updater_setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:4704
  - - C:\Program Files (x86)\PC HelpSoft Driver Updater\PCHelpSoftDriverUpdater.exe
      "C:\Program Files (x86)\PC HelpSoft Driver Updater\PCHelpSoftDriverUpdater.exe" /INSTALL
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2744
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "PC HelpSoft Driver Updater Schedule" /F
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "PC HelpSoft Driver Updater Monitoring" /F
        5⤵
        
        PID:2800
  - - C:\Program Files (x86)\PC HelpSoft Driver Updater\PCHelpSoftDriverUpdater.exe
      "C:\Program Files (x86)\PC HelpSoft Driver Updater\PCHelpSoftDriverUpdater.exe" /START /INSTALLED
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3260
    - - C:\Program Files (x86)\PC HelpSoft Driver Updater\PCHelpSoftDriverUpdater.exe
        
        "C:\Program Files (x86)\PC HelpSoft Driver Updater\PCHelpSoftDriverUpdater.exe" /TRAY
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\tmp342.tmp_collect\PCHelpSoftDriverUpdater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp342.tmp_collect\PCHelpSoftDriverUpdater.exe" /COLLECT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=n4l4AdUDqyE%3D&mkey3=win_cta1&mkey4=0&mkey5=2&mkey6=0&mkey7=NO_TRIAL
        5⤵
        
        PID:3684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff297c3cb8,0x7fff297c3cc8,0x7fff297c3cd8
        6⤵
        
        PID:1364
  - - C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\DriverPro.exe
      "C:\Program Files (x86)\PC HelpSoft Driver Updater\Extra\DriverPro.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8776 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8944 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9092 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10024 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10172 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10336 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10428 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10324 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9796 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8228 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8476 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9620 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11296 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11496 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11652 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11628 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12056 /prefetch:1
  2⤵
  PID:6200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11636 /prefetch:1
  2⤵
  PID:6372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:6888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:6148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10360 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12180 /prefetch:1
  2⤵
  PID:6900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12144 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - NTFS ADS
  PID:6612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9324 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9224 /prefetch:1
  2⤵
  PID:6592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9140 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9892 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:7024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,5281169909017630518,9397519161768780050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10328 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3216
- C:\Users\Admin\Downloads\OperaGXSetup.exe
  "C:\Users\Admin\Downloads\OperaGXSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:5212
- - C:\Users\Admin\Downloads\OperaGXSetup.exe
    C:\Users\Admin\Downloads\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.142 --initial-client-data=0x2c8,0x2c4,0x2e4,0x2b4,0x2e8,0x721b52b8,0x721b52c4,0x721b52d0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5404
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7128
- - C:\Users\Admin\Downloads\OperaGXSetup.exe
    "C:\Users\Admin\Downloads\OperaGXSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5212 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240629210002" --session-guid=3a63235c-824b-47e3-9780-4baec12d142c --server-tracking-blob=YTQ5YTVmOTAwZTRhYjcxODE2OGM0NWEzZGU0M2I5YTg0YzNhNDUxNTAyZDYzMmU5N2ZiY2U1ZDI0ZTA0MzUwMjp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD05Y2VhNTMzYjRjYmU0MzJmYTQwMGMxNTc1MmZkMWZhZSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX0dCX1VWUl8zNzM2JTI2dXRtX2NvbnRlbnQlM0QzNzM2XyUyNnV0bV9pZCUzRDljZWE1MzNiNGNiZTQzMmZhNDAwYzE1NzUyZmQxZmFlJTI2ZWRpdGlvbiUzRHN0ZC0yJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJnV0bV9pZD05Y2VhNTMzYjRjYmU0MzJmYTQwMGMxNTc1MmZkMWZhZSZkbF90b2tlbj0xNzQ5MjUyMCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxOTY5NDc5MS41OTY0IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzkwLjAuNDQzMC4yMTIgU2FmYXJpLzUzNy4zNiBFZGcvOTAuMC44MTguNjYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJQV05fR0JfVVZSXzM3MzYiLCJjb250ZW50IjoiMzczNl8iLCJpZCI6IjljZWE1MzNiNGNiZTQzMmZhNDAwYzE1NzUyZmQxZmFlIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vIiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6IjIwYWZjYjlmLWM0MTQtNDFjMC05NGRmLTQ5NjMyYTFmYjEyYyJ9 --desktopshortcut=1 --wait-for-package --initial-proc-handle=3409000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    PID:6792
  - - C:\Users\Admin\Downloads\OperaGXSetup.exe
      C:\Users\Admin\Downloads\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.142 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2a8,0x2e0,0x710652b8,0x710652c4,0x710652d0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2312
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406292100021\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406292100021\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    PID:5348
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406292100021\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406292100021\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406292100021\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406292100021\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x8f4f48,0x8f4f58,0x8f4f64
      4⤵
      Executes dropped EXE
      PID:896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D8
1⤵
PID:4580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\Temp1_Mod.Menu.zip\Mod Menu.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Mod.Menu.zip\Mod Menu.exe"
1⤵
- Adds Run key to start application
PID:7060
- C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe
  "C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- - C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xmodz-mod-menu-nativefier-e5a4a8" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1688,i,2076413519800758967,11108339657253744644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1376
- - C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xmodz-mod-menu-nativefier-e5a4a8" --mojo-platform-channel-handle=2004 --field-trial-handle=1688,i,2076413519800758967,11108339657253744644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2832
- - C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\xmodz-mod-menu-nativefier-e5a4a8" --app-user-model-id=xmodz-mod-menu-nativefier-e5a4a8 --app-path="C:\Users\Admin\AppData\Roaming\Mod Menu\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2248 --field-trial-handle=1688,i,2076413519800758967,11108339657253744644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5696
- - C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\xmodz-mod-menu-nativefier-e5a4a8" --app-user-model-id=xmodz-mod-menu-nativefier-e5a4a8 --app-path="C:\Users\Admin\AppData\Roaming\Mod Menu\resources\app" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1688,i,2076413519800758967,11108339657253744644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5652
- - C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Mod Menu\XModz Mod Menu.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\xmodz-mod-menu-nativefier-e5a4a8" --app-user-model-id=xmodz-mod-menu-nativefier-e5a4a8 --app-path="C:\Users\Admin\AppData\Roaming\Mod Menu\resources\app" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3272 --field-trial-handle=1688,i,2076413519800758967,11108339657253744644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:6308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ds1p17x7ism5r.cloudfront.net/public/dynamo/lockerClick.php?offer=53251401&offer_position=1&it=3847195&m=0&visitor_id=Vdb1f3b6be2b4e&cpguid=&hash=a1a34639cf4d0e069a253fe660e0c805
    3⤵
    PID:6348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff297c3cb8,0x7fff297c3cc8,0x7fff297c3cd8
      4⤵
      PID:6320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7fff297c3cb8,0x7fff297c3cc8,0x7fff297c3cd8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:6516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:6660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  PID:6252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:6440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:6448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 /prefetch:8
  2⤵
  - NTFS ADS
  PID:7020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:6992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7092 /prefetch:2
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1788579211134995343,18230370429667937622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:5480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
PID:6444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 300
  2⤵
  - Program crash
  PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6444 -ip 6444
1⤵
PID:6112

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 256
  2⤵
  - Program crash
  PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3800 -ip 3800
1⤵
PID:4092

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
PID:6856

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"
1⤵
PID:1320

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe"
1⤵
PID:1388

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Launcher.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Launcher.exe"
1⤵
PID:3908

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Vista.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Vista.exe"
1⤵
PID:2868

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"
1⤵
- Suspicious use of SendNotifyMessage
PID:4240

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
PID:3524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D8
1⤵
PID:484

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"
1⤵
PID:6952

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:4084
- C:\Windows\SysWOW64\NET.exe
  NET STOP NAVAPSVC
  2⤵
  PID:5612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP NAVAPSVC
    3⤵
    PID:6212
- C:\Windows\SysWOW64\NET.exe
  NET STOP PERSFW
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP PERSFW
    3⤵
    PID:4864
- C:\Windows\SysWOW64\NET.exe
  NET STOP AVPCC
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP AVPCC
    3⤵
    PID:4588
- C:\Windows\SysWOW64\NET.exe
  NET STOP MCSHIELD
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP MCSHIELD
    3⤵
    PID:6228
- C:\Windows\SysWOW64\NET.exe
  NET STOP SWEEPSRV.SYS
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP SWEEPSRV.SYS
    3⤵
    PID:6972
- C:\WINDOWS\system\msload.exe
  C:\WINDOWS\system\msload.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3600
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6068
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5032
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:744
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6340
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2356
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3812
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3972
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6908
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2936
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6824
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2980
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1668
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6652
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1712
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5968
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6480
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5864
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:7020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1252
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3484
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:864
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6664
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5684
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5692
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6928
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:464
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4192
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6832
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6728
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5556
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4376
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1320
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5164
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:4764
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2092
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5380
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6180
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4688
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:7140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4340
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5296
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6564
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4304
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4172
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5608
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3516
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:3768
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5228
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5012
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3952
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:468
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3164
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6736
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1452
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2384
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5448
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6584
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5088
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:2896
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3256
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6108
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:884
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5912
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4728
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:644
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1844
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5948
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:4268
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5492
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6204
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:956
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4764
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6912
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4580
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4116
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:7020
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2072
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5092
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:7164
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4748
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:4916
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:7128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6668
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6828
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5376
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:7028
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3944
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2104
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6468
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6736
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2088
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3156
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2260
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3720
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2320
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6948
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5228
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5276
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:7040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6404
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4688
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6268
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6772
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6768
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5504
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6004
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6972
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6828
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5344
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3348
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:3660
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6984
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1044
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1228
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6104
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:1432
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5296
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6468
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5316
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4316
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1832
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3624
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6492
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3576
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:3352
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5932
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:644
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6808
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:3340
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6084
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1432
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5804
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:4572
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6944
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2260
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6388
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6576
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3816
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:7156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6472
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3484
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:948
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5236
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:1124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6796
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6596
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5196
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5388
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:564
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6868
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1712
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1888
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5188
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5620
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3132
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6260
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:7128
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5768
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:7060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6480
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3816
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3588
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5912
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5376
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:256
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5128
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:196
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:7156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6364
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:3112
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5320
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4748
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6884
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5892
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:8
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6296
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:7020
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4640
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1032
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3224
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5156
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5372
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3736
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6244
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5032
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:1052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5188
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3572
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:7056
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5912
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6388
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:3464
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1676
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1388
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5236
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5368
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6920
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3472
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3124
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5064
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3572
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5208
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3884
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3588
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:1432
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5624
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5360
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5680
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5368
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4316
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:640
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5024
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5728
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4876
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5612
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5660
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5600

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:6640
- C:\Windows\SysWOW64\NET.exe
  NET STOP NAVAPSVC
  2⤵
  PID:6996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP NAVAPSVC
    3⤵
    PID:4948
- C:\Windows\SysWOW64\NET.exe
  NET STOP PERSFW
  2⤵
  PID:6616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP PERSFW
    3⤵
    PID:6552
- C:\Windows\SysWOW64\NET.exe
  NET STOP AVPCC
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP AVPCC
    3⤵
    PID:7132
- C:\Windows\SysWOW64\NET.exe
  NET STOP MCSHIELD
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP MCSHIELD
    3⤵
    PID:5784
- C:\Windows\SysWOW64\NET.exe
  NET STOP SWEEPSRV.SYS
  2⤵
  PID:6596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP SWEEPSRV.SYS
    3⤵
    PID:2076
- \??\c:\windows\system\msload.exe
  c:\windows\system\msload.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:6004
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:772
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6824
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2448
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6528
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3780
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5932
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5472
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3712
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6404
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:7020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5864

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
PID:1052
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:3792
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:6532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2960

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:836

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5848

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
- Modifies registry class
PID:5880

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6208
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  PID:3700

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
PID:2380
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  - Adds Run key to start application
  PID:5968
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:5380

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:6224
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:5880
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  PID:6640
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:4344
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:5456
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:5668
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:3508
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:6800
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:6116
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4688

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- NTFS ADS
PID:6160
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF57.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5088

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:7012
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:6512

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:4076
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:6564
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:5996
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  PID:3096
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4632
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2504
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    PID:4752
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:3840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:4348
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      PID:5580

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CobaltStrike.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:7016
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  PID:464

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
PID:1712

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:948
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
  2⤵
  - Executes dropped EXE
  PID:72

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DudleyTrojan.bat" "
1⤵
PID:3392

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Offiz.js"
1⤵
PID:856

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\VeryFun.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\VeryFun.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Suspicious use of SetWindowsHookEx
  PID:6148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:3576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:6304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:5348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3d72055 /state1:0x41c64e6d
1⤵
PID:5920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery