cerber | hxxps://github[.]com/Endermanch/MalwareDatabase

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	[email protected]

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	[email protected]

Executes dropped EXE 50 IoCs

pid	Process
5108	[email protected]
4272	CCSetup.exe
2232	CCSetup.exe
2256	ISBEW64.exe
2368	ISBEW64.exe
1672	ISBEW64.exe
1136	ISBEW64.exe
4620	ISBEW64.exe
1904	ISBEW64.exe
844	ISBEW64.exe
3640	ISBEW64.exe
4900	ISBEW64.exe
2708	ISBEW64.exe
4372	CCSetup (1).exe
2188	CCSetup (1).exe
4856	ISBEW64.exe
3848	ISBEW64.exe
4436	ISBEW64.exe
1888	ISBEW64.exe
3272	ISBEW64.exe
1968	ISBEW64.exe
4392	ISBEW64.exe
3480	ISBEW64.exe
552	ISBEW64.exe
3648	ISBEW64.exe
5444	CCSetup (1).exe
5536	CCSetup (1).exe
3960	ISBEW64.exe
3376	ISBEW64.exe
4816	ISBEW64.exe
4152	ISBEW64.exe
3828	ISBEW64.exe
872	ISBEW64.exe
5476	ISBEW64.exe
5508	ISBEW64.exe
5556	ISBEW64.exe
5584	ISBEW64.exe
3968	avast_free_antivirus_setup_online.exe
5568	avast_free_antivirus_setup_online_x64.exe
112	instup.exe
436	instup.exe
3840	aswOfferTool.exe
1540	aswOfferTool.exe
968	aswOfferTool.exe
2916	aswOfferTool.exe
5164	aswOfferTool.exe
4024	aswOfferTool.exe
2068	aswOfferTool.exe
5496	aswOfferTool.exe
388	sbr.exe

Loads dropped DLL 34 IoCs

pid	Process
2232	CCSetup.exe
4248	MsiExec.exe
2232	CCSetup.exe
2232	CCSetup.exe
2232	CCSetup.exe
2232	CCSetup.exe
2232	CCSetup.exe
2188	CCSetup (1).exe
2500	MsiExec.exe
2188	CCSetup (1).exe
2188	CCSetup (1).exe
2188	CCSetup (1).exe
2188	CCSetup (1).exe
2188	CCSetup (1).exe
5536	CCSetup (1).exe
3872	MsiExec.exe
5536	CCSetup (1).exe
5536	CCSetup (1).exe
5536	CCSetup (1).exe
5536	CCSetup (1).exe
5536	CCSetup (1).exe
3968	avast_free_antivirus_setup_online.exe
112	instup.exe
112	instup.exe
112	instup.exe
112	instup.exe
436	instup.exe
436	instup.exe
436	instup.exe
436	instup.exe
968	aswOfferTool.exe
5164	aswOfferTool.exe
2068	aswOfferTool.exe
5496	aswOfferTool.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\Avast Software\\Avast\\setup\\instup.exe\" /instop:repair /wait"	instup.exe

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\I:	CCSetup.exe
File opened (read-only)	\??\K:	CCSetup.exe
File opened (read-only)	\??\N:	CCSetup.exe
File opened (read-only)	\??\A:	CCSetup (1).exe
File opened (read-only)	\??\L:	CCSetup (1).exe
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\O:	CCSetup.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\U:	CCSetup (1).exe
File opened (read-only)	\??\I:	CCSetup (1).exe
File opened (read-only)	\??\J:	CCSetup.exe
File opened (read-only)	\??\R:	CCSetup.exe
File opened (read-only)	\??\M:	CCSetup (1).exe
File opened (read-only)	\??\E:	CCSetup (1).exe
File opened (read-only)	\??\G:	CCSetup (1).exe
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\K:	CCSetup (1).exe
File opened (read-only)	\??\Q:	CCSetup (1).exe
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\V:	CCSetup (1).exe
File opened (read-only)	\??\R:	CCSetup (1).exe
File opened (read-only)	\??\P:	CCSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	CCSetup (1).exe
File opened (read-only)	\??\N:	CCSetup (1).exe
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\O:	CCSetup (1).exe
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\G:	CCSetup.exe
File opened (read-only)	\??\V:	CCSetup.exe
File opened (read-only)	\??\X:	CCSetup.exe
File opened (read-only)	\??\B:	CCSetup (1).exe
File opened (read-only)	\??\H:	CCSetup (1).exe
File opened (read-only)	\??\T:	CCSetup (1).exe
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	CCSetup (1).exe
File opened (read-only)	\??\S:	CCSetup (1).exe
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\M:	CCSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	CCSetup (1).exe
File opened (read-only)	\??\P:	CCSetup (1).exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\L:	CCSetup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	CCSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	CCSetup (1).exe
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	CCSetup.exe
File opened (read-only)	\??\U:	CCSetup (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
54	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	[email protected]
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	[email protected]
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	[email protected]
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	[email protected]
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	[email protected]

Probable phishing domain 1 TTPs 2 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	3474	https://www.pcrisk.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8ad0a52348ffb68b	5
HTTP URL	3537	https://www.salvagedata.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8ad0a8016e41b68f	5

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCB79.bmp"	[email protected]

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\	[email protected]
File opened for modification	\??\c:\program files (x86)\excel	[email protected]
File opened for modification	\??\c:\program files (x86)\onenote	[email protected]
File opened for modification	\??\c:\program files (x86)\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\thunderbird	[email protected]
File opened for modification	C:\Program Files\Avast Software\Avast\setup\jrog2-153e.vpx	instup.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\word	[email protected]
File opened for modification	\??\c:\program files (x86)\steam	[email protected]
File opened for modification	\??\c:\program files (x86)\the bat!	[email protected]
File opened for modification	C:\Program Files\Avast Software\Avast\setup	instup.exe
File opened for modification	\??\c:\program files\	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\word	[email protected]
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Stats.ini	instup.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	[email protected]
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Stats.ini.tmp	instup.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	[email protected]
File opened for modification	\??\c:\program files (x86)\office	[email protected]
File opened for modification	\??\c:\program files (x86)\outlook	[email protected]
File opened for modification	C:\Program Files\Avast Software\Avast\setup\ais_cmp_bpc-7e7.vpx	instup.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	[email protected]

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avast_free_antivirus_setup_online.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4124	cmd.exe
3512	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2768	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "88"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: jrog2-153e.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "53"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: jrog2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "89"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50"	avast_free_antivirus_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "7"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "57"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-a45.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "73"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "65"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: ais_cmp_bpc-7e7.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "26"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "46"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "17"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "33"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "67"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "93"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "97"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "8"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "82"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "9"	instup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	CCSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CCSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CCSetup.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5116	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3512	PING.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1720	chrome.exe
1720	chrome.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
6080	chrome.exe
6080	chrome.exe
5568	avast_free_antivirus_setup_online_x64.exe
5568	avast_free_antivirus_setup_online_x64.exe
5568	avast_free_antivirus_setup_online_x64.exe
5568	avast_free_antivirus_setup_online_x64.exe
436	instup.exe
436	instup.exe
436	instup.exe
436	instup.exe
436	instup.exe
436	instup.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
436	instup.exe
436	instup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
6080	chrome.exe
6080	chrome.exe
6080	chrome.exe
6080	chrome.exe
6080	chrome.exe
6080	chrome.exe
6080	chrome.exe
6080	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
2552	7zG.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe
4684	taskmgr.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
4272	CCSetup.exe
2232	CCSetup.exe
2256	ISBEW64.exe
2368	ISBEW64.exe
1672	ISBEW64.exe
1136	ISBEW64.exe
4620	ISBEW64.exe
1904	ISBEW64.exe
844	ISBEW64.exe
3640	ISBEW64.exe
4900	ISBEW64.exe
2708	ISBEW64.exe
2232	CCSetup.exe
2232	CCSetup.exe
4372	CCSetup (1).exe
2188	CCSetup (1).exe
4856	ISBEW64.exe
3848	ISBEW64.exe
4436	ISBEW64.exe
1888	ISBEW64.exe
3272	ISBEW64.exe
1968	ISBEW64.exe
4392	ISBEW64.exe
3480	ISBEW64.exe
552	ISBEW64.exe
3648	ISBEW64.exe
2188	CCSetup (1).exe
2188	CCSetup (1).exe
5444	CCSetup (1).exe
5536	CCSetup (1).exe
3960	ISBEW64.exe
3376	ISBEW64.exe
4816	ISBEW64.exe
4152	ISBEW64.exe
3828	ISBEW64.exe
872	ISBEW64.exe
5476	ISBEW64.exe
5508	ISBEW64.exe
5556	ISBEW64.exe
5584	ISBEW64.exe
5536	CCSetup (1).exe
5536	CCSetup (1).exe
112	instup.exe
436	instup.exe
436	instup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4800	1720	chrome.exe	84
PID 1720 wrote to memory of 4800	1720	chrome.exe	84
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 3628	1720	chrome.exe	86
PID 1720 wrote to memory of 4552	1720	chrome.exe	87
PID 1720 wrote to memory of 4552	1720	chrome.exe	87
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88
PID 1720 wrote to memory of 3384	1720	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc538ecc40,0x7ffc538ecc4c,0x7ffc538ecc58
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3652 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4984,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5300,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5500,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4456,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5524,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4968,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4940,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5384,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5720,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6024,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6000,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3164,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4508,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5800,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3108,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=1448,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6004,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:2368
- C:\Users\Admin\Downloads\CCSetup.exe
  "C:\Users\Admin\Downloads\CCSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\{FA61E6BC-5487-4568-9992-95DED774260E}\CCSetup.exe
    C:\Users\Admin\AppData\Local\Temp\{FA61E6BC-5487-4568-9992-95DED774260E}\CCSetup.exe /q"C:\Users\Admin\Downloads\CCSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{FA61E6BC-5487-4568-9992-95DED774260E}" /IS_temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0053F21B-A31B-436E-9C7A-C2301FE2C539}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{734E95F3-1585-496E-A756-84942BC151BD}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D781EFA2-D043-4D18-B919-9DCC874C3461}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9A70103F-D3EA-48AC-B837-001FD10F55BC}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF72C1F0-2204-4A5C-9607-133CAFCBE02A}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{21A43B3F-785F-48B6-9162-261A02352510}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D480D29A-4954-4901-81DD-DBDDE8B8B83C}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:844
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4FF2AE0C-FF2E-445A-91FA-F5CAC575A08E}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5F128B48-4F42-4018-820B-C5E083BA9CD7}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{2AFA0508-AF40-42E5-BC64-301AA8F9752B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6681E388-8C35-439E-8410-E3B6CFB19FED}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2708
  - - C:\Windows\SysWOW64\CMD.EXE
      CMD.EXE /C driverquery /v >C:\Users\Admin\AppData\Local\Temp\drivers.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:912
    - - C:\Windows\SysWOW64\driverquery.exe
        
        driverquery /v
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=3148,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6456,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5216,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6104,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6432,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6836,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6596,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6860,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6848 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6204,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:1632
- C:\Users\Admin\Downloads\CCSetup (1).exe
  "C:\Users\Admin\Downloads\CCSetup (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\{D9CCB089-13EC-45E2-9D81-D92CAE723BFA}\CCSetup (1).exe
    "C:\Users\Admin\AppData\Local\Temp\{D9CCB089-13EC-45E2-9D81-D92CAE723BFA}\CCSetup (1).exe" /q"C:\Users\Admin\Downloads\CCSetup (1).exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{D9CCB089-13EC-45E2-9D81-D92CAE723BFA}" /IS_temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E22587E8-8DC7-4C8D-89F0-3C48AACC56DB}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EA7391D3-E3A3-41C2-8E90-977C7863BA15}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C946117-358E-4D4E-8DAF-045DCC6741DF}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7865F086-71CE-4052-9794-A875BAB0B5AD}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DC4D7EB5-6788-41B1-8949-0BE44669DA0A}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{175E517B-77DE-4761-AD5D-A2699BA53307}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C8A06156-24F8-4DDC-8E46-042FA060590D}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{78312C61-6A85-4F7F-983E-69F6F2C36AF4}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CCB55450-2D64-4F1F-8B42-7BAF2762AA83}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:552
  - - C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{1901C474-2650-45B2-9BFA-24A46FDA0818}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{36EA999F-29B2-438A-8C29-A3A2D66E7F13}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3648
  - - C:\Windows\SysWOW64\CMD.EXE
      CMD.EXE /C driverquery /v >C:\Users\Admin\AppData\Local\Temp\drivers.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:4196
    - - C:\Windows\SysWOW64\driverquery.exe
        
        driverquery /v
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
- C:\Users\Admin\Downloads\CCSetup (1).exe
  "C:\Users\Admin\Downloads\CCSetup (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\{42E22616-3D6F-415B-B346-53F68BCF4EF8}\CCSetup (1).exe
    "C:\Users\Admin\AppData\Local\Temp\{42E22616-3D6F-415B-B346-53F68BCF4EF8}\CCSetup (1).exe" /q"C:\Users\Admin\Downloads\CCSetup (1).exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{42E22616-3D6F-415B-B346-53F68BCF4EF8}" /IS_temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5536
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BDC0FCFA-6C28-4F5E-B483-94D89405EB72}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B4D6E895-99C3-4E74-A4E3-69FB83D07048}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A282525D-D98B-4D14-879E-5B978CA40F96}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AD5EB783-1C57-4866-8C0C-4A47340291AC}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{566877F8-CDF9-4C3F-94F0-D39F5ACAC065}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4ABB15E7-00A8-4743-9B04-F4A54569FD22}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{759CD254-8A7D-49B6-B540-EC7133E19A4E}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{15995493-2721-491C-9378-6923A69DA126}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7743A79-D22F-4717-B185-8B52DE6E665A}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5556
  - - C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{CE8E8BF9-98CB-4248-85E5-D24AE6DF02D0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D24D9FF9-7FF5-43D0-9405-3780A623F222}
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5584
  - - C:\Windows\SysWOW64\CMD.EXE
      CMD.EXE /C driverquery /v >C:\Users\Admin\AppData\Local\Temp\drivers.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:5624
    - - C:\Windows\SysWOW64\driverquery.exe
        
        driverquery /v
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6168,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=5704,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6912 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=6216,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=5276,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6652,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6160,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6920,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=6816,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=6080,i,6779563549264597164,8268690847426363868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:4152

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4144

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap29839:74:7zEvent29624
1⤵
- Suspicious use of FindShellTrayWindow
PID:2552

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5108
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4688
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4852
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0K5N5AM4_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4304
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___B4F4Y_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:5116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "E"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2768
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3512

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
PID:4628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1BE2E4C9D0E61173732DA1C022CA1480 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4248
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B940669162C6BC1AEF144BAFD04511FC C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1E811B8B9957157AC755E7BFA43BA2EF C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3872

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\3b80b0f16884441fa9b7fa844e29921e /t 3004 /p 2232
1⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc538ecc40,0x7ffc538ecc4c,0x7ffc538ecc58
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3184,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5248,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5376,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3340,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5180,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4856,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5640,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5652,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5668,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5792,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5636,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:5032
- C:\Users\Admin\Downloads\avast_free_antivirus_setup_online.exe
  "C:\Users\Admin\Downloads\avast_free_antivirus_setup_online.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:3968
- - C:\Windows\Temp\asw.c531bc42bc26085d\avast_free_antivirus_setup_online_x64.exe
    "C:\Windows\Temp\asw.c531bc42bc26085d\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:4baee430-503c-471a-8905-061a2af6efca /edat_dir:C:\Windows\Temp\asw.c531bc42bc26085d /geo:GB
    3⤵
    - Executes dropped EXE
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5568
  - - C:\Windows\Temp\asw.ffbc5d959275e854\instup.exe
      "C:\Windows\Temp\asw.ffbc5d959275e854\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.ffbc5d959275e854 /edition:1 /prod:ais /stub_context:e7320d64-0027-4679-abcc-02fa3a145f71:9931880 /guid:754c9b39-c8f9-43a2-8fa8-bf2ac23e9fb0 /ga_clientid:4baee430-503c-471a-8905-061a2af6efca /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:4baee430-503c-471a-8905-061a2af6efca /edat_dir:C:\Windows\Temp\asw.c531bc42bc26085d /geo:GB
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:112
    - - C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\instup.exe
        
        "C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.ffbc5d959275e854 /edition:1 /prod:ais /stub_context:e7320d64-0027-4679-abcc-02fa3a145f71:9931880 /guid:754c9b39-c8f9-43a2-8fa8-bf2ac23e9fb0 /ga_clientid:4baee430-503c-471a-8905-061a2af6efca /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /edat_dir:C:\Windows\Temp\asw.c531bc42bc26085d /geo:GB /online_installer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Drops file in Program Files directory
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:436
      - C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe" -checkGToolbar -elevated
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3840
      - C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe" /check_secure_browser
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
      - C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe" -checkChrome -elevated
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:968
      - C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5164
      - C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2068
      - C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\aswOfferTool.exe" -checkChrome -elevated
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5496
      - C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\sbr.exe
        
        "C:\Windows\Temp\asw.ffbc5d959275e854\New_180717ec\sbr.exe" 436 "Avast Antivirus setup" "Avast Antivirus is being installed. Do not shut down your computer!"
        6⤵
        Executes dropped EXE
        
        PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5664,i,1962094842135567900,10544211896261945797,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4656

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery