crimsonrat | hxxps://cdn[.]discordapp[.]com/attachments/1204540179411378226/1205283732844580894/IMG_1806[.]jpg?ex=65d7cef2&is=65c559f2&hm=5f5a38b43a149b91e664a961ae15d41a63d7ef1e17997d29959e710a110189d3&

Processes:

winupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exeBlackkomet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Downloads MZ/PE file

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
5480	attrib.exe
7844	attrib.exe
5556	attrib.exe
6520	attrib.exe
7324	attrib.exe
5816	attrib.exe
5128	attrib.exe
6276	attrib.exe
6408	attrib.exe
6784	attrib.exe
5168	attrib.exe
5964	attrib.exe
9556	attrib.exe
5724	attrib.exe
6712	attrib.exe
9776	attrib.exe
5696	attrib.exe
8100	attrib.exe
7804	attrib.exe
9320	attrib.exe
8900	attrib.exe
3428	attrib.exe
6264	attrib.exe
6924	attrib.exe
8232	attrib.exe
5928	attrib.exe
6592	attrib.exe
8060	attrib.exe
5320	attrib.exe
7784	attrib.exe
8252	attrib.exe
7220	attrib.exe
5304	attrib.exe
7880	attrib.exe
8156	attrib.exe
8328	attrib.exe
924	attrib.exe
9348	attrib.exe
3668	attrib.exe
7988	attrib.exe
7312	attrib.exe
700	attrib.exe
5696	attrib.exe
8196	attrib.exe
9768	attrib.exe
6500	attrib.exe
6500	attrib.exe
7548	attrib.exe
7592	attrib.exe
1524	attrib.exe
5776	attrib.exe
1140	attrib.exe
6624	attrib.exe
8044	attrib.exe
7764	attrib.exe
8120	attrib.exe
7800	attrib.exe
4264	attrib.exe
5936	attrib.exe
4112	attrib.exe
8596	attrib.exe
8888	attrib.exe
5268	attrib.exe
5124	attrib.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

python-3.11.0-amd64.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	python-3.11.0-amd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winupdate.exe

Executes dropped EXE 17 IoCs

Processes:

python-3.11.0-amd64.exepython-3.11.0-amd64.exepython-3.11.0-amd64.exepython-3.11.0-amd64.exepython-3.11.0-amd64.exeUserdata.exedlrarhsiva.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exe

pid	process
208	python-3.11.0-amd64.exe
2196	python-3.11.0-amd64.exe
1736	python-3.11.0-amd64.exe
4592	python-3.11.0-amd64.exe
1500	python-3.11.0-amd64.exe
2248	Userdata.exe
4956	dlrarhsiva.exe
4776	winupdate.exe
220	winupdate.exe
868	winupdate.exe
5188	winupdate.exe
5408	winupdate.exe
5628	winupdate.exe
5844	winupdate.exe
6056	winupdate.exe
5400	winupdate.exe
5520	winupdate.exe

Loads dropped DLL 2 IoCs

Processes:

python-3.11.0-amd64.exepython-3.11.0-amd64.exe

pid process

2196 python-3.11.0-amd64.exe
4592 python-3.11.0-amd64.exe

pid	process
2196	python-3.11.0-amd64.exe
4592	python-3.11.0-amd64.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

notepad.exeRemcos.exenotepad.exewinupdate.exenotepad.exewinupdate.exeBlackkomet.exewinupdate.exenotepad.exewinupdate.exewinupdate.exenotepad.exenotepad.exenotepad.exewinupdate.exenotepad.exewinupdate.exeUserdata.exewinupdate.exenotepad.exepython-3.11.0-amd64.exenotepad.exenotepad.exewinupdate.exewinupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{7f8381ad-2e42-4432-8de5-c7beebe1009f} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{7f8381ad-2e42-4432-8de5-c7beebe1009f}\\python-3.11.0-amd64.exe\" /burn.runonce"	python-3.11.0-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

104 camo.githubusercontent.com

flow	ioc
104	camo.githubusercontent.com

Drops file in System32 directory 64 IoCs

Processes:

attrib.exeattrib.exewinupdate.exewinupdate.exewinupdate.exeattrib.exewinupdate.exenotepad.exewinupdate.exewinupdate.exenotepad.exeattrib.exewinupdate.exenotepad.exewinupdate.exeRemcos.exeBlackkomet.exenotepad.exewinupdate.exeiexplore.exewinupdate.exeattrib.exeattrib.exeattrib.exenotepad.exenotepad.exenotepad.exeattrib.exeattrib.exeattrib.exenotepad.exeattrib.exeattrib.exeattrib.exenotepad.exeattrib.exenotepad.exeattrib.exenotepad.exeattrib.exeattrib.exenotepad.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Userdata.exe

description pid process target process

PID 2248 set thread context of 2652 2248 Userdata.exe iexplore.exe

description	pid	process	target process
PID 2248 set thread context of 2652	2248	Userdata.exe	iexplore.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1ED03561-12AC-4A6A-AA85-583281BF0121}	msiexec.exe
File created	C:\Windows\Installer\e5aad0e.msi	msiexec.exe
File created	C:\Windows\Installer\e5aad0a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5aad0a.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB288.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBFF.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5316 6064 WerFault.exe notepad.exe

pid	pid_target	process	target process
5316	6064	WerFault.exe	notepad.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006c2b12180e4adb550000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006c2b12180000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006c2b1218000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6c2b1218000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006c2b121800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 30 IoCs

Processes:

python-3.11.0-amd64.exewinupdate.exewinupdate.exemsedge.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exemsedge.exeOpenWith.exenotepad.exewinupdate.exewinupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11\Version = "3.11.150.0"	python-3.11.0-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer	python-3.11.0-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\{1ED03561-12AC-4A6A-AA85-583281BF0121}\DisplayName = "Python 3.11.0 Core Interpreter (64-bit)"	python-3.11.0-amd64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11\Dependents	python-3.11.0-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11	python-3.11.0-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11\ = "{7f8381ad-2e42-4432-8de5-c7beebe1009f}"	python-3.11.0-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11	python-3.11.0-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2398549320-3657759451-817663969-1000\{E609AE59-9747-4661-A1D4-BFB4F6408B19}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\{1ED03561-12AC-4A6A-AA85-583281BF0121}\Version = "3.11.150.0"	python-3.11.0-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11\Dependents\{7f8381ad-2e42-4432-8de5-c7beebe1009f}	python-3.11.0-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11\Dependents	python-3.11.0-amd64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11\Dependents\{7f8381ad-2e42-4432-8de5-c7beebe1009f}	python-3.11.0-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\{1ED03561-12AC-4A6A-AA85-583281BF0121}\ = "{1ED03561-12AC-4A6A-AA85-583281BF0121}"	python-3.11.0-amd64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\{1ED03561-12AC-4A6A-AA85-583281BF0121}	python-3.11.0-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\{1ED03561-12AC-4A6A-AA85-583281BF0121}	python-3.11.0-amd64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies	python-3.11.0-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Installer\Dependencies\CPython-3.11\DisplayName = "Python 3.11.0 (64-bit)"	python-3.11.0-amd64.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

220 reg.exe
4000 reg.exe
3212 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 96149.crdownload:SmartScreen msedge.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2288 PING.EXE

pid	process
220	reg.exe
4000	reg.exe
3212	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 96149.crdownload:SmartScreen	msedge.exe

pid	process
2288	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsiexec.exemsedge.exe

pid	process
1016	msedge.exe
1016	msedge.exe
1776	msedge.exe
1776	msedge.exe
2904	identity_helper.exe
2904	identity_helper.exe
4328	msedge.exe
4328	msedge.exe
4924	msedge.exe
4924	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
3340	msedge.exe
3340	msedge.exe
3536	msiexec.exe
3536	msiexec.exe
3536	msiexec.exe
3536	msiexec.exe
4828	msedge.exe
4828	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

1812 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

Processes:

msedge.exe

pid	process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exepython-3.11.0-amd64.exemsiexec.exe

description	pid	process
Token: SeBackupPrivilege	4680	vssvc.exe
Token: SeRestorePrivilege	4680	vssvc.exe
Token: SeAuditPrivilege	4680	vssvc.exe
Token: SeShutdownPrivilege	4592	python-3.11.0-amd64.exe
Token: SeIncreaseQuotaPrivilege	4592	python-3.11.0-amd64.exe
Token: SeSecurityPrivilege	3536	msiexec.exe
Token: SeCreateTokenPrivilege	4592	python-3.11.0-amd64.exe
Token: SeAssignPrimaryTokenPrivilege	4592	python-3.11.0-amd64.exe
Token: SeLockMemoryPrivilege	4592	python-3.11.0-amd64.exe
Token: SeIncreaseQuotaPrivilege	4592	python-3.11.0-amd64.exe
Token: SeMachineAccountPrivilege	4592	python-3.11.0-amd64.exe
Token: SeTcbPrivilege	4592	python-3.11.0-amd64.exe
Token: SeSecurityPrivilege	4592	python-3.11.0-amd64.exe
Token: SeTakeOwnershipPrivilege	4592	python-3.11.0-amd64.exe
Token: SeLoadDriverPrivilege	4592	python-3.11.0-amd64.exe
Token: SeSystemProfilePrivilege	4592	python-3.11.0-amd64.exe
Token: SeSystemtimePrivilege	4592	python-3.11.0-amd64.exe
Token: SeProfSingleProcessPrivilege	4592	python-3.11.0-amd64.exe
Token: SeIncBasePriorityPrivilege	4592	python-3.11.0-amd64.exe
Token: SeCreatePagefilePrivilege	4592	python-3.11.0-amd64.exe
Token: SeCreatePermanentPrivilege	4592	python-3.11.0-amd64.exe
Token: SeBackupPrivilege	4592	python-3.11.0-amd64.exe
Token: SeRestorePrivilege	4592	python-3.11.0-amd64.exe
Token: SeShutdownPrivilege	4592	python-3.11.0-amd64.exe
Token: SeDebugPrivilege	4592	python-3.11.0-amd64.exe
Token: SeAuditPrivilege	4592	python-3.11.0-amd64.exe
Token: SeSystemEnvironmentPrivilege	4592	python-3.11.0-amd64.exe
Token: SeChangeNotifyPrivilege	4592	python-3.11.0-amd64.exe
Token: SeRemoteShutdownPrivilege	4592	python-3.11.0-amd64.exe
Token: SeUndockPrivilege	4592	python-3.11.0-amd64.exe
Token: SeSyncAgentPrivilege	4592	python-3.11.0-amd64.exe
Token: SeEnableDelegationPrivilege	4592	python-3.11.0-amd64.exe
Token: SeManageVolumePrivilege	4592	python-3.11.0-amd64.exe
Token: SeImpersonatePrivilege	4592	python-3.11.0-amd64.exe
Token: SeCreateGlobalPrivilege	4592	python-3.11.0-amd64.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe
Token: SeTakeOwnershipPrivilege	3536	msiexec.exe
Token: SeRestorePrivilege	3536	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exepython-3.11.0-amd64.exe

pid	process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
4592	python-3.11.0-amd64.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exe

pid	process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

OpenWith.exeAcroRd32.exeiexplore.exe

pid	process
1812	OpenWith.exe
1812	OpenWith.exe
1812	OpenWith.exe
1812	OpenWith.exe
1812	OpenWith.exe
1812	OpenWith.exe
1812	OpenWith.exe
2144	AcroRd32.exe
2144	AcroRd32.exe
2144	AcroRd32.exe
2144	AcroRd32.exe
2652	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1776 wrote to memory of 2128	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 2128	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4900	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 1016	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 1016	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe
PID 1776 wrote to memory of 4316	1776	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
3668	attrib.exe
4112	attrib.exe
7472	attrib.exe
4264	attrib.exe
5484	attrib.exe
6908	attrib.exe
7784	attrib.exe
8360	attrib.exe
8516	attrib.exe
5404	attrib.exe
8120	attrib.exe
8196	attrib.exe
10032	attrib.exe
6500	attrib.exe
6908	attrib.exe
5696	attrib.exe
7264	attrib.exe
8216	attrib.exe
9320	attrib.exe
5816	attrib.exe
6500	attrib.exe
6604	attrib.exe
7224	attrib.exe
7604	attrib.exe
7432	attrib.exe
8900	attrib.exe
5704	attrib.exe
5320	attrib.exe
700	attrib.exe
5696	attrib.exe
6624	attrib.exe
8052	attrib.exe
6408	attrib.exe
7936	attrib.exe
5260	attrib.exe
5712	attrib.exe
924	attrib.exe
6784	attrib.exe
8808	attrib.exe
8232	attrib.exe
8196	attrib.exe
6912	attrib.exe
8044	attrib.exe
1524	attrib.exe
8588	attrib.exe
8888	attrib.exe
8452	attrib.exe
5268	attrib.exe
7844	attrib.exe
8060	attrib.exe
8100	attrib.exe
9776	attrib.exe
9348	attrib.exe
7548	attrib.exe
6004	attrib.exe
5468	attrib.exe
6488	attrib.exe
8252	attrib.exe
5124	attrib.exe
6712	attrib.exe
6920	attrib.exe
7548	attrib.exe
8020	attrib.exe
7148	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1204540179411378226/1205283732844580894/IMG_1806.jpg?ex=65d7cef2&is=65c559f2&hm=5f5a38b43a149b91e664a961ae15d41a63d7ef1e17997d29959e710a110189d3&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd986d46f8,0x7ffd986d4708,0x7ffd986d4718
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1812 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3508 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7032 /prefetch:8
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Users\Admin\Downloads\python-3.11.0-amd64.exe
  "C:\Users\Admin\Downloads\python-3.11.0-amd64.exe"
  2⤵
  - Executes dropped EXE
  PID:208
- - C:\Windows\Temp\{80F57364-E132-437F-A284-81EA98F239E1}\.cr\python-3.11.0-amd64.exe
    "C:\Windows\Temp\{80F57364-E132-437F-A284-81EA98F239E1}\.cr\python-3.11.0-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.11.0-amd64.exe" -burn.filehandle.attached=720 -burn.filehandle.self=576
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2196
- C:\Users\Admin\Downloads\python-3.11.0-amd64.exe
  "C:\Users\Admin\Downloads\python-3.11.0-amd64.exe"
  2⤵
  - Executes dropped EXE
  PID:1736
- - C:\Windows\Temp\{C9F57D31-1888-4160-8022-4E7B1C66188D}\.cr\python-3.11.0-amd64.exe
    "C:\Windows\Temp\{C9F57D31-1888-4160-8022-4E7B1C66188D}\.cr\python-3.11.0-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.11.0-amd64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4592
  - - C:\Windows\Temp\{E88619E1-8B57-4608-89DB-1BA50B1B6A5A}\.be\python-3.11.0-amd64.exe
      "C:\Windows\Temp\{E88619E1-8B57-4608-89DB-1BA50B1B6A5A}\.be\python-3.11.0-amd64.exe" -q -burn.elevated BurnPipe.{DE5848B5-3B65-4254-86FB-F41C7C0E40BB} {59B551C7-3300-412E-B601-970569378B08} 4592
      4⤵
      Executes dropped EXE
      PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1072 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7916 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,7150771966324222228,9559442055069399806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3652

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Luna-Grabber-main\requirements.txt
1⤵
PID:3600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1812
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\Luna-Grabber-main\luna.py"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2144
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:3652
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=57BD2F0B98B0D72A780122CBF310ABE5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=57BD2F0B98B0D72A780122CBF310ABE5 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2140
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0136F00A741110771B15C8C62D2448D1 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3140
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2288
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:2320
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:4000
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:1244
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3212

C:\Users\Admin\Desktop\RAT\Remcos.exe
"C:\Users\Admin\Desktop\RAT\Remcos.exe"
1⤵
PID:2856

C:\Users\Admin\Desktop\RAT\CrimsonRAT.exe
"C:\Users\Admin\Desktop\RAT\CrimsonRAT.exe"
1⤵
PID:1524
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4956

C:\Users\Admin\Desktop\RAT\Blackkomet.exe
"C:\Users\Admin\Desktop\RAT\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:2248
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:4600
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Desktop\RAT" +s +h
  2⤵
  PID:1508
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Desktop\RAT\Blackkomet.exe" +s +h
  2⤵
  PID:3564
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3428
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  PID:4776
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:2856
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Drops file in System32 directory
    PID:3960
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    PID:220
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:4860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:3668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Drops file in System32 directory
      PID:3564
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      PID:868
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3212
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4264
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1524
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5236
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5268
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5260
      - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        6⤵
        
        PID:5416
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        7⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        8⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5704
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        8⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        10⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        10⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5320
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        12⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5816
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        13⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        Sets file to hidden
        
        PID:5964
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        13⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        14⤵
        Sets file to hidden
        
        PID:5480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        Views/modifies file attributes
        
        PID:5484
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        15⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        15⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        16⤵
        Views/modifies file attributes
        
        PID:6004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        16⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        16⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        16⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        17⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        17⤵
        Views/modifies file attributes
        
        PID:700
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        17⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        18⤵
        Views/modifies file attributes
        
        PID:5468
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        18⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        18⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        19⤵
        Sets file to hidden
        
        PID:5724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        19⤵
        Sets file to hidden
        
        PID:5128
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        19⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        20⤵
        Sets file to hidden
        
        PID:1140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        20⤵
        Sets file to hidden
        
        PID:700
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        20⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        20⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        21⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        21⤵
        Views/modifies file attributes
        
        PID:5404
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        21⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        22⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        22⤵
        Sets file to hidden
        
        PID:6276
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        22⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        22⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        23⤵
        Views/modifies file attributes
        
        PID:6488
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        23⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        24⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        24⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        24⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        25⤵
        Views/modifies file attributes
        
        PID:6920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        25⤵
        Views/modifies file attributes
        
        PID:6912
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        26⤵
        Views/modifies file attributes
        
        PID:7148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        26⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        26⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        27⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        27⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        27⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        28⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        28⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        28⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        29⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        29⤵
        Sets file to hidden
        
        PID:5556
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        29⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        30⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        30⤵
        Views/modifies file attributes
        
        PID:6604
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        30⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        31⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        31⤵
        Views/modifies file attributes
        
        PID:6908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        31⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        31⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        32⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        32⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        32⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        32⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        33⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        33⤵
        Sets file to hidden
        
        PID:6264
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        33⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        34⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        34⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        34⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        34⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        35⤵
        Sets file to hidden
        
        PID:6592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        35⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        35⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        36⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        36⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        36⤵
        Sets file to hidden
        
        PID:6924
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        36⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        37⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        37⤵
        Views/modifies file attributes
        
        PID:6908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        37⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5696
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        37⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        38⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        38⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        38⤵
        Sets file to hidden
        
        PID:6520
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        38⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        39⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        39⤵
        Sets file to hidden
        
        PID:7324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        39⤵
        Sets file to hidden
        
        PID:7312
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        39⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        39⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        40⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        40⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        40⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        40⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        40⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        41⤵
        Sets file to hidden
        
        PID:7804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        41⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        41⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        41⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        42⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        42⤵
        Views/modifies file attributes
        
        PID:8052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        42⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8044
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        42⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        42⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        43⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        43⤵
        Views/modifies file attributes
        
        PID:7224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        43⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        43⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        43⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        44⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        44⤵
        Views/modifies file attributes
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        44⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        44⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        44⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        45⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        45⤵
        Sets file to hidden
        
        PID:7764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        45⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7844
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        45⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        45⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        46⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        46⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        46⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7784
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        46⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        47⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        47⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        47⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8060
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        47⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        48⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        48⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        48⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        48⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        49⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        49⤵
        Sets file to hidden
        
        PID:7880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        49⤵
        Sets file to hidden
        
        PID:7988
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        49⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        50⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        50⤵
        Sets file to hidden
        
        PID:7592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        50⤵
        Sets file to hidden
        
        PID:7800
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        50⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        51⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        51⤵
        Views/modifies file attributes
        
        PID:7604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        51⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8100
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        51⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        51⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        52⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        52⤵
        Views/modifies file attributes
        
        PID:8020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        52⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        52⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        53⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        53⤵
        Views/modifies file attributes
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        53⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        53⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        54⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        54⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        54⤵
        Views/modifies file attributes
        
        PID:8216
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        54⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        54⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        55⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        55⤵
        Sets file to hidden
        
        PID:8596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        55⤵
        Views/modifies file attributes
        
        PID:8588
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        55⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        55⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        56⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        56⤵
        Views/modifies file attributes
        
        PID:8808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        56⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        56⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        56⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        57⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        57⤵
        Sets file to hidden
        
        PID:8156
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        57⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        57⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        58⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        58⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        58⤵
        Views/modifies file attributes
        
        PID:7936
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        58⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        58⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        59⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        59⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        59⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        59⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        59⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        60⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        60⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        60⤵
        Views/modifies file attributes
        
        PID:8360
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        60⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        60⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        61⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        61⤵
        Views/modifies file attributes
        
        PID:7472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        61⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8252
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        61⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        61⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        62⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        62⤵
        Views/modifies file attributes
        
        PID:8516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        62⤵
        Views/modifies file attributes
        
        PID:8452
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        62⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        63⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        63⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        63⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8232
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        63⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        64⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        64⤵
        Sets file to hidden
        
        PID:8328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        64⤵
        Sets file to hidden
        
        PID:7220
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        64⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        65⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        65⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        65⤵
        Views/modifies file attributes
        
        PID:8196
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        65⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        65⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        66⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        66⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        66⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9320
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        66⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        66⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        67⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        67⤵
        Sets file to hidden
        
        PID:9556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        67⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        67⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        67⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        68⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        68⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        68⤵
        Sets file to hidden
        
        PID:9768
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        68⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        69⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        69⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        69⤵
        Views/modifies file attributes
        
        PID:10032
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        69⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        70⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        70⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        70⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8900
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        70⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        71⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        71⤵
        Views/modifies file attributes
        
        PID:7548
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        70⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        69⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        68⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        64⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        63⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        62⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        53⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        52⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        50⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        49⤵
        
        PID:408
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        48⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        47⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        46⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        41⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        38⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        37⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        36⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        35⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        34⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        33⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        32⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        31⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        30⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        29⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        28⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        26⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        25⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        15⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        14⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        12⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        11⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        9⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 68
        10⤵
        Program crash
        
        PID:5316
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        7⤵
        
        PID:5636
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        
        PID:5196
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      Modifies registry class
      PID:2248
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\SysWOW64\notepad.exe
  2⤵
  PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6064 -ip 6064
1⤵
PID:1140

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"
1⤵
PID:7620

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"
1⤵
PID:2308
- C:\Windows\SysWOW64\NET.exe
  NET STOP SWEEPSRV.SYS
  2⤵
  PID:7548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP SWEEPSRV.SYS
    3⤵
    PID:8444
- C:\Windows\SysWOW64\NET.exe
  NET STOP MCSHIELD
  2⤵
  PID:7328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP MCSHIELD
    3⤵
    PID:8452
- C:\Windows\SysWOW64\NET.exe
  NET STOP AVPCC
  2⤵
  PID:7880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP AVPCC
    3⤵
    PID:8476
- C:\Windows\SysWOW64\NET.exe
  NET STOP PERSFW
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP PERSFW
    3⤵
    PID:8412
- C:\Windows\SysWOW64\NET.exe
  NET STOP NAVAPSVC
  2⤵
  PID:7236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP NAVAPSVC
    3⤵
    PID:8432
- C:\WINDOWS\system\msload.exe
  C:\WINDOWS\system\msload.exe
  2⤵
  PID:8992
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:9068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:8196
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:9060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:8248
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:9052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:8228
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:9044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:7988
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:9032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:8464
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:9112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:9268
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:8916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:9064
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:8276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:9184
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:8000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:8196
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:8516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:7636

C:\Windows\SysWOW64\notepad.exe
notepad
1⤵
PID:9136

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaster.A.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaster.A.exe"
1⤵
PID:8372

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaster.E.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaster.E.exe"
1⤵
PID:8344

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
PID:9932

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\ChilledWindows.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"
1⤵
PID:10184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery