eternity | 0c7117e7bd2eb23d5205b3dac031ad2ed5a636488c2f54eb3d6003262f03e2a2

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4HP775hS.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4HP775hS.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4HP775hS.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1ZQ12Tx4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1ZQ12Tx4.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1456	schtasks.exe
4388	schtasks.exe
3708	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6864	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4612	1ZQ12Tx4.exe
4612	1ZQ12Tx4.exe
3236	4HP775hS.exe
3236	4HP775hS.exe
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
1056	msedge.exe
1056	msedge.exe
4320	msedge.exe
4320	msedge.exe
3240	Process not Found
3240	Process not Found
1356	msedge.exe
1356	msedge.exe
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
5628	msedge.exe
5628	msedge.exe
3240	Process not Found
3240	Process not Found
5316	msedge.exe
5316	msedge.exe
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3236	4HP775hS.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4464	6eV4TL2.exe
3240	Process not Found
3240	Process not Found
4464	6eV4TL2.exe
4464	6eV4TL2.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
4464	6eV4TL2.exe
4464	6eV4TL2.exe
3240	Process not Found
3240	Process not Found

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4464	6eV4TL2.exe
4464	6eV4TL2.exe
4464	6eV4TL2.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
4464	6eV4TL2.exe
4464	6eV4TL2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4516	2324	e0cc677c0ceaef03dfeb2e5289b284d1.exe	87
PID 2324 wrote to memory of 4516	2324	e0cc677c0ceaef03dfeb2e5289b284d1.exe	87
PID 2324 wrote to memory of 4516	2324	e0cc677c0ceaef03dfeb2e5289b284d1.exe	87
PID 4516 wrote to memory of 4612	4516	AD2wC01.exe	88
PID 4516 wrote to memory of 4612	4516	AD2wC01.exe	88
PID 4516 wrote to memory of 4612	4516	AD2wC01.exe	88
PID 4612 wrote to memory of 1456	4612	1ZQ12Tx4.exe	93
PID 4612 wrote to memory of 1456	4612	1ZQ12Tx4.exe	93
PID 4612 wrote to memory of 1456	4612	1ZQ12Tx4.exe	93
PID 4612 wrote to memory of 4388	4612	1ZQ12Tx4.exe	94
PID 4612 wrote to memory of 4388	4612	1ZQ12Tx4.exe	94
PID 4612 wrote to memory of 4388	4612	1ZQ12Tx4.exe	94
PID 4516 wrote to memory of 3236	4516	AD2wC01.exe	107
PID 4516 wrote to memory of 3236	4516	AD2wC01.exe	107
PID 4516 wrote to memory of 3236	4516	AD2wC01.exe	107
PID 2324 wrote to memory of 4464	2324	e0cc677c0ceaef03dfeb2e5289b284d1.exe	109
PID 2324 wrote to memory of 4464	2324	e0cc677c0ceaef03dfeb2e5289b284d1.exe	109
PID 2324 wrote to memory of 4464	2324	e0cc677c0ceaef03dfeb2e5289b284d1.exe	109
PID 4464 wrote to memory of 1556	4464	6eV4TL2.exe	110
PID 4464 wrote to memory of 1556	4464	6eV4TL2.exe	110
PID 4464 wrote to memory of 1356	4464	6eV4TL2.exe	112
PID 4464 wrote to memory of 1356	4464	6eV4TL2.exe	112
PID 1556 wrote to memory of 1816	1556	msedge.exe	113
PID 1556 wrote to memory of 1816	1556	msedge.exe	113
PID 1356 wrote to memory of 60	1356	msedge.exe	114
PID 1356 wrote to memory of 60	1356	msedge.exe	114
PID 4464 wrote to memory of 1968	4464	6eV4TL2.exe	115
PID 4464 wrote to memory of 1968	4464	6eV4TL2.exe	115
PID 1968 wrote to memory of 1828	1968	msedge.exe	116
PID 1968 wrote to memory of 1828	1968	msedge.exe	116
PID 4464 wrote to memory of 3212	4464	6eV4TL2.exe	118
PID 4464 wrote to memory of 3212	4464	6eV4TL2.exe	118
PID 3212 wrote to memory of 4988	3212	msedge.exe	117
PID 3212 wrote to memory of 4988	3212	msedge.exe	117
PID 4464 wrote to memory of 5068	4464	6eV4TL2.exe	119
PID 4464 wrote to memory of 5068	4464	6eV4TL2.exe	119
PID 5068 wrote to memory of 2876	5068	msedge.exe	120
PID 5068 wrote to memory of 2876	5068	msedge.exe	120
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125
PID 1356 wrote to memory of 3856	1356	msedge.exe	125

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1ZQ12Tx4.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1ZQ12Tx4.exe

C:\Users\Admin\AppData\Local\Temp\e0cc677c0ceaef03dfeb2e5289b284d1.exe
"C:\Users\Admin\AppData\Local\Temp\e0cc677c0ceaef03dfeb2e5289b284d1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AD2wC01.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AD2wC01.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ZQ12Tx4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ZQ12Tx4.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:4612
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1456
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1752
      4⤵
      Program crash
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4HP775hS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4HP775hS.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eV4TL2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eV4TL2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:1816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,4623082033905534453,11107409902322928481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1472,4623082033905534453,11107409902322928481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:60
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
      4⤵
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:3856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:5188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
      4⤵
      PID:5724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
      4⤵
      PID:5884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
      4⤵
      PID:5776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
      4⤵
      PID:6140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
      4⤵
      PID:6212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
      4⤵
      PID:6356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
      4⤵
      PID:6552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
      4⤵
      PID:6580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
      4⤵
      PID:6824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
      4⤵
      PID:6880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
      4⤵
      PID:6012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
      4⤵
      PID:512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
      4⤵
      PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
      4⤵
      PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7980 /prefetch:8
      4⤵
      PID:5360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7980 /prefetch:8
      4⤵
      PID:3800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
      4⤵
      PID:7048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
      4⤵
      PID:4496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7796 /prefetch:8
      4⤵
      PID:5844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8737446954894636782,2278593624950709005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
      4⤵
      PID:3776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:1828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9600854012869959565,10858265578550653943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,1699018793234915241,6901097398220026263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:2876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
    3⤵
    PID:5220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
    3⤵
    PID:5892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:5924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
    3⤵
    PID:1080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    PID:6296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:6336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:6700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
      4⤵
      PID:6752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2856
- C:\Users\Admin\AppData\Local\Temp\Broom.exe
  C:\Users\Admin\AppData\Local\Temp\Broom.exe
  2⤵
  PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4612 -ip 4612
1⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffe62a146f8,0x7ffe62a14708,0x7ffe62a14718
1⤵
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\CD81.exe
C:\Users\Admin\AppData\Local\Temp\CD81.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Users\Admin\AppData\Local\Temp\F6A5.exe
C:\Users\Admin\AppData\Local\Temp\F6A5.exe
1⤵
PID:4100
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:3896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 328
      4⤵
      Program crash
      PID:1288
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:3940
- C:\Users\Admin\AppData\Local\Temp\tuc3.exe
  "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  PID:5468
- - C:\Users\Admin\AppData\Local\Temp\is-QHB0B.tmp\tuc3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QHB0B.tmp\tuc3.tmp" /SL5="$102C2,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    PID:3756
  - - C:\Program Files (x86)\xrecode3\xrecode3.exe
      "C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
      4⤵
      PID:6808
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Query
      4⤵
      PID:5172
  - - C:\Program Files (x86)\xrecode3\xrecode3.exe
      "C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 1
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 1
        5⤵
        
        PID:3860
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:6704
- C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
  2⤵
  PID:2856

C:\Users\Admin\AppData\Local\Temp\F966.exe
C:\Users\Admin\AppData\Local\Temp\F966.exe
1⤵
PID:4228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6864
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3708
  - - C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
      4⤵
      PID:5152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4844

C:\Users\Admin\AppData\Local\Temp\FCD2.exe
C:\Users\Admin\AppData\Local\Temp\FCD2.exe
1⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\1F6E.exe
C:\Users\Admin\AppData\Local\Temp\1F6E.exe
1⤵
PID:6804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3896 -ip 3896
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery