c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneNote Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\SecurityScan\\OnesNotem.exe\" 421"	OnesNotem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneNote Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\SecurityScan\\OnesNotem.exe\" 421"	OnesNotem.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OnesNotem.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2368	tasklist.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\dll\wntdll.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\is-PG2RP.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-9VERS.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\exe\onenotem.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-JKCRN.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-9ELN3.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-LMILC.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-OUM9Q.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-CQIH6.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-OLVVO.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\wntdll.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\is-PQ89D.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\wntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\onenotem.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\symbols\exe\onenotem.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\ntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-E63G8.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-KOVUU.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-M7THQ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-IO3F9.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-2O1BR.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-LLP9B.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-LB7LI.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-P41MB.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-L6P2S.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-F5B0T.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-84446.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-Q1SFF.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-GP8HE.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\dll\ntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-NSM6T.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-VC802.tmp	processhacker-2.39-setup.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0F64E67C-DF97-428D-BDF9-40EDA8A1F44D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE29F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e1f6.msi	msiexec.exe
File created	C:\Windows\Installer\e57e1f4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e1f4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
2832	OnesNotem.exe
1148	OnesNotem.exe
2216	processhacker-2.39-setup.exe
2184	processhacker-2.39-setup.tmp
2152	ProcessHacker.exe

Loads dropped DLL 14 IoCs

pid	Process
2832	OnesNotem.exe
1148	OnesNotem.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe
2152	ProcessHacker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4880	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OnesNotem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OnesNotem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processhacker-2.39-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processhacker-2.39-setup.tmp

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector	OnesNotem.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133820298238041111"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OnesNotem.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	OnesNotem.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-pu	OnesNotem.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 44004400440030003000390044003800330031003000350032004500340046000000	OnesNotem.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	msiexec.exe
4556	msiexec.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3988	mmc.exe
2028	taskmgr.exe
2152	ProcessHacker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4880	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4880	msiexec.exe
Token: SeSecurityPrivilege	4556	msiexec.exe
Token: SeCreateTokenPrivilege	4880	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4880	msiexec.exe
Token: SeLockMemoryPrivilege	4880	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4880	msiexec.exe
Token: SeMachineAccountPrivilege	4880	msiexec.exe
Token: SeTcbPrivilege	4880	msiexec.exe
Token: SeSecurityPrivilege	4880	msiexec.exe
Token: SeTakeOwnershipPrivilege	4880	msiexec.exe
Token: SeLoadDriverPrivilege	4880	msiexec.exe
Token: SeSystemProfilePrivilege	4880	msiexec.exe
Token: SeSystemtimePrivilege	4880	msiexec.exe
Token: SeProfSingleProcessPrivilege	4880	msiexec.exe
Token: SeIncBasePriorityPrivilege	4880	msiexec.exe
Token: SeCreatePagefilePrivilege	4880	msiexec.exe
Token: SeCreatePermanentPrivilege	4880	msiexec.exe
Token: SeBackupPrivilege	4880	msiexec.exe
Token: SeRestorePrivilege	4880	msiexec.exe
Token: SeShutdownPrivilege	4880	msiexec.exe
Token: SeDebugPrivilege	4880	msiexec.exe
Token: SeAuditPrivilege	4880	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4880	msiexec.exe
Token: SeChangeNotifyPrivilege	4880	msiexec.exe
Token: SeRemoteShutdownPrivilege	4880	msiexec.exe
Token: SeUndockPrivilege	4880	msiexec.exe
Token: SeSyncAgentPrivilege	4880	msiexec.exe
Token: SeEnableDelegationPrivilege	4880	msiexec.exe
Token: SeManageVolumePrivilege	4880	msiexec.exe
Token: SeImpersonatePrivilege	4880	msiexec.exe
Token: SeCreateGlobalPrivilege	4880	msiexec.exe
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe
Token: SeBackupPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe
Token: SeTakeOwnershipPrivilege	4556	msiexec.exe
Token: SeRestorePrivilege	4556	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4880	msiexec.exe
4880	msiexec.exe
4816	AcroRd32.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
4816	AcroRd32.exe
3988	mmc.exe
3988	mmc.exe
4816	AcroRd32.exe
3988	mmc.exe
3988	mmc.exe
3988	mmc.exe
3988	mmc.exe
3988	mmc.exe
3988	mmc.exe
3988	mmc.exe
3988	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 4944	4556	msiexec.exe	91
PID 4556 wrote to memory of 4944	4556	msiexec.exe	91
PID 4556 wrote to memory of 2832	4556	msiexec.exe	93
PID 4556 wrote to memory of 2832	4556	msiexec.exe	93
PID 4556 wrote to memory of 2832	4556	msiexec.exe	93
PID 2832 wrote to memory of 4816	2832	OnesNotem.exe	94
PID 2832 wrote to memory of 4816	2832	OnesNotem.exe	94
PID 2832 wrote to memory of 4816	2832	OnesNotem.exe	94
PID 2832 wrote to memory of 1148	2832	OnesNotem.exe	98
PID 2832 wrote to memory of 1148	2832	OnesNotem.exe	98
PID 2832 wrote to memory of 1148	2832	OnesNotem.exe	98
PID 4816 wrote to memory of 400	4816	AcroRd32.exe	104
PID 4816 wrote to memory of 400	4816	AcroRd32.exe	104
PID 4816 wrote to memory of 400	4816	AcroRd32.exe	104
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 3568	400	RdrCEF.exe	105
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106
PID 400 wrote to memory of 4344	400	RdrCEF.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4944
- C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe
  C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\郭台銘選擇賴佩霞為總統副手深層考量.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8AACDBAB53E9B3F7DA23CECB11BD3D3 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8C635FFD69FB86D9D3D0BE615AE0D0F3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8C635FFD69FB86D9D3D0BE615AE0D0F3 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D73B53C69FD67CCA8E7D0ABD5615527 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:448
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2EA6C0B0CFB383A795C9C273135100E --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4C2B6695D44EC4388F4B21A788AA1811 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4C2B6695D44EC4388F4B21A788AA1811 --renderer-client-id=6 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6402639B1403259A0C12EEBAB281B11F --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
- - C:\Users\Admin\AppData\Roaming\SecurityScan\OnesNotem.exe
    C:\Users\Admin\AppData\Roaming\SecurityScan\OnesNotem.exe 424
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3688
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcfc9acc40,0x7ffcfc9acc4c,0x7ffcfc9acc58
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2212,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:2144
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x29c,0x2a0,0x2a4,0x274,0x2a8,0x7ff6a3d94698,0x7ff6a3d946a4,0x7ff6a3d946b0
    3⤵
    - Drops file in Program Files directory
    PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4040,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5300,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4864,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5252 /prefetch:2
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5436,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5420,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3544,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4068,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3376,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5032,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4564,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1528 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5880,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3412,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6036,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3452,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6348,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6528,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5916,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  PID:3060
- C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
  "C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\is-LIAIC.tmp\processhacker-2.39-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LIAIC.tmp\processhacker-2.39-setup.tmp" /SL5="$406EC,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2184
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: GetForegroundWindowSpam
      PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6572,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2752 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6252,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6532,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1520 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6300,i,4259423502392069352,8934177770628631853,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:6056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery