hxxp://google[.]com

Modify Registry

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\""	wscript.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Disables RegEdit via registry modification 2 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

888 icacls.exe
1624 takeown.exe
3100 icacls.exe
904 takeown.exe
2440 icacls.exe
796 takeown.exe

pid	process
888	icacls.exe
1624	takeown.exe
3100	icacls.exe
904	takeown.exe
2440	icacls.exe
796	takeown.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

wscript.exeMrsMajor3.0.exeMrsMajor2.0.exeBossDaMajor.exeBossDaMajor.exewscript.exewscript.exewscript.exewscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	MrsMajor2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	BossDaMajor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	BossDaMajor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 9 IoCs

Processes:

MrsMajor3.0.exeeulascr.exeMrsMajor2.0.exeInstall.exeBossDaMajor.exeBossDaMajor.exeBonzify.exe000.exeeula32.exe

pid	process
632	MrsMajor3.0.exe
3260	eulascr.exe
2956	MrsMajor2.0.exe
180	Install.exe
1164	BossDaMajor.exe
4092	BossDaMajor.exe
2116	Bonzify.exe
2248	000.exe
2844	eula32.exe

Loads dropped DLL 1 IoCs

Processes:

eulascr.exe

pid process

3260 eulascr.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

3100 icacls.exe
904 takeown.exe
2440 icacls.exe
796 takeown.exe
888 icacls.exe
1624 takeown.exe

pid	process
3260	eulascr.exe

pid	process
3100	icacls.exe
904	takeown.exe
2440	icacls.exe
796	takeown.exe
888	icacls.exe
1624	takeown.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6420.tmp\eulascr.exe	agile_net
behavioral1/memory/3260-1030-0x0000000000C10000-0x0000000000C3A000-memory.dmp	agile_net

Enumerates connected drives 3 TTPs 40 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

000.exeunregmp2.exe

description	ioc	process
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

176 raw.githubusercontent.com
177 raw.githubusercontent.com

flow	ioc
176	raw.githubusercontent.com
177	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

Modify Registry

Processes:

000.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper 000.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper	000.exe

Drops file in Program Files directory 64 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\program files\MicrosoftWindowsServicesEtc\rsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\def_resource\Skullcur.cur	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\mrsmajorlauncher.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe	wscript.exe
File created	C:\Program Files\mrsmajor\WinLogon.bat	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\WinLogon.bat	wscript.exe
File created	C:\Program Files\mrsmajor\mrsmajorlauncher.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe	wscript.exe
File created	C:\Program Files\mrsmajor\default.txt	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\Skullcur.cur	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\Launcher.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat	wscript.exe
File created	C:\Program Files\mrsmajor\reStart.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\Doll_patch.xml	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\checker.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\example.txt	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\Major.exe	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\reStart.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\DreS_X.bat	wscript.exe
File created	C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\default.txt	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\DreS_X.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\MrsMjrGui.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\Launcher.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs	wscript.exe
File opened for modification	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majordared.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\def_resource\f11.mp4	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\f11.mp4	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\bsod.exe	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\creepysound.mp3	wscript.exe

Drops file in Windows directory 1 IoCs

Processes:

Bonzify.exe

description ioc process

File created C:\Windows\executables.bin Bonzify.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1696 2248 WerFault.exe 000.exe
2852 2248 WerFault.exe 000.exe

description	ioc	process
File created	C:\Windows\executables.bin	Bonzify.exe

pid	pid_target	process	target process
1696	2248	WerFault.exe	000.exe
2852	2248	WerFault.exe	000.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 15 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2292	taskkill.exe
2672	taskkill.exe
4232	taskkill.exe
3756	taskkill.exe
3496	taskkill.exe
1504	taskkill.exe
3552	taskkill.exe
4420	taskkill.exe
3440	taskkill.exe
4208	taskkill.exe
5084	taskkill.exe
5100	taskkill.exe
4412	taskkill.exe
2876	taskkill.exe
3772	taskkill.exe

Modifies Control Panel 8 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133604249232544670"	chrome.exe

Modifies registry class 13 IoCs

Processes:

000.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{9248A31E-1209-4DC2-91DA-872E4BAD989C}	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3080 chrome.exe
3080 chrome.exe
2304 chrome.exe
2304 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

3080 chrome.exe
3080 chrome.exe
3080 chrome.exe
3080 chrome.exe
3080 chrome.exe
3080 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MrsMajor3.0.exeBonzify.exe000.exe

pid process

632 MrsMajor3.0.exe
2116 Bonzify.exe
2248 000.exe
2248 000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3080 wrote to memory of 5044	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5044	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2092	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4264	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4264	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 5108	3080	chrome.exe	chrome.exe

System policy modification 1 TTPs 6 IoCs

Modify Registry

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aa29ab58,0x7ff9aa29ab68,0x7ff9aa29ab78
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:2
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:1
2⤵
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:1
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:1
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2988 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4064 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:1
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4788 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:1
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4516 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:1
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5068 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:1256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5108 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5160 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5156 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5192 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4888 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4948 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5508 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5608 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5480 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4220 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1200 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4892 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5024 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4896 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5944 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4956 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6060 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5964 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6092 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6080 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5484 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5820 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5944 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 --field-trial-handle=1884,i,600034161402994316,18084715063361603480,131072 /prefetch:8
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4068

C:\Users\Admin\Downloads\yuh\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\yuh\MrsMajor3.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6420.tmp\6431.tmp\6432.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:4628

C:\Users\Admin\AppData\Local\Temp\6420.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\6420.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3260

C:\Users\Admin\Downloads\yuh\MrsMajor2.0.exe
"C:\Users\Admin\Downloads\yuh\MrsMajor2.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2956

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\67BA.tmp\67BB.vbs
2⤵
- Checks computer location settings
- Drops file in Program Files directory
PID:2828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe
3⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\eula32.exe
eula32.exe
4⤵
- Executes dropped EXE
PID:2844

C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"
3⤵
PID:3664

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\A2EE.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""
4⤵
PID:4080

C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:904

C:\Windows\System32\icacls.exe
icacls taskmgr.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2440

C:\Windows\System32\takeown.exe
takeown /f sethc.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:796

C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:888

C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"
3⤵
PID:1480

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 5
3⤵
PID:2200

C:\Users\Admin\Downloads\yuh\Install.exe
"C:\Users\Admin\Downloads\yuh\Install.exe"
1⤵
- Executes dropped EXE
PID:180

C:\Users\Admin\Downloads\yuh\BossDaMajor.exe
"C:\Users\Admin\Downloads\yuh\BossDaMajor.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1164

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\75D4.tmp\75D5.vbs
2⤵
- Checks computer location settings
- Drops file in Program Files directory
PID:4728

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:4012

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:2700

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
4⤵
PID:1156

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
5⤵
PID:4004

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
5⤵
PID:1272

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
6⤵
- Enumerates connected drives
PID:1088

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 03
4⤵
PID:4300

C:\Users\Admin\Downloads\yuh\BossDaMajor.exe
"C:\Users\Admin\Downloads\yuh\BossDaMajor.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4092

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\75D5.tmp\75D5.vbs
2⤵
- Checks computer location settings
- Drops file in Program Files directory
PID:2024

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:2636

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies Control Panel
- System policy modification
PID:3760

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\creepysound.mp3"
4⤵
PID:2736

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\creepysound.mp3"
5⤵
PID:2524

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
5⤵
PID:2852

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
6⤵
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Program Files\mrsmajor\DreS_X.bat"
4⤵
PID:2704

C:\Windows\system32\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:2876

C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
5⤵
- Kills process with taskkill
PID:4420

C:\Windows\system32\taskkill.exe
taskkill /f /im iexplore.exe
5⤵
- Kills process with taskkill
PID:3772

C:\Windows\system32\taskkill.exe
taskkill /f /im opera.exe
5⤵
- Kills process with taskkill
PID:4232

C:\Windows\system32\taskkill.exe
taskkill /f /im yandex.exe
5⤵
- Kills process with taskkill
PID:5084

C:\Windows\system32\taskkill.exe
taskkill /f /im firefox.exe
5⤵
- Kills process with taskkill
PID:5100

C:\Windows\system32\taskkill.exe
taskkill /f /im microsoftedge.exe
5⤵
- Kills process with taskkill
PID:3756

C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe
5⤵
- Kills process with taskkill
PID:3440

C:\Windows\system32\taskkill.exe
taskkill /f /im mspaint.exe
5⤵
- Kills process with taskkill
PID:4208

C:\Windows\system32\taskkill.exe
taskkill /f /im dllhost.exe
5⤵
- Kills process with taskkill
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /f /im notepad.exe
5⤵
- Kills process with taskkill
PID:2292

C:\Windows\system32\taskkill.exe
taskkill /f /im bing.exe
5⤵
- Kills process with taskkill
PID:3552

C:\Users\Admin\Downloads\yuh\Bonzify.exe
"C:\Users\Admin\Downloads\yuh\Bonzify.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
2⤵
PID:4936

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
3⤵
- Kills process with taskkill
PID:3496

C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1624

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3100

C:\Users\Admin\Downloads\yuh\000.exe
"C:\Users\Admin\Downloads\yuh\000.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
2⤵
PID:3096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
PID:4412

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
PID:2672

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
3⤵
PID:4696

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
3⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 3928
2⤵
- Program crash
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 4288
2⤵
- Program crash
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2248 -ip 2248
1⤵
PID:4952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38b6055 /state1:0x41c64e6d
1⤵
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

System Information Discovery