purecrypter | b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

Processes:

Everything.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Everything = "\"C:\\Program Files\\Everything\\Everything.exe\" -startup"	Everything.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exemsiexec.exemsiexec.exeEverything.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	Everything.exe
File opened (read-only)	\??\V:	Everything.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	Everything.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	Everything.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	Everything.exe
File opened (read-only)	\??\N:	Everything.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	Everything.exe
File opened (read-only)	\??\L:	Everything.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	Everything.exe
File opened (read-only)	\??\I:	Everything.exe
File opened (read-only)	\??\Y:	Everything.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

cmd.exepowercfg.execmd.exepowercfg.exe

pid process

3300 cmd.exe
4668 powercfg.exe
3940 cmd.exe
1504 powercfg.exe

pid	process
3300	cmd.exe
4668	powercfg.exe
3940	cmd.exe
1504	powercfg.exe

Drops file in System32 directory 20 IoCs

Processes:

dxdiag.exedxdiag.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_84ea762c0a90c362\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_702fdf2336d2162d\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_84ea762c0a90c362\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_585900615f764770\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_702fdf2336d2162d\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF	dxdiag.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

7z2407-x64.exeEverything.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2407-x64.exe
File created	C:\Program Files\Everything\Uninstall.exe	Everything.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2407-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2407-x64.exe
File created	C:\Program Files\Everything\License.txt	Everything.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2407-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2407-x64.exe

Drops file in Windows directory 64 IoCs

Processes:

reg.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exepowershell.exemsiexec.exereg.execmd.execmd.execmd.exereg.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedxdiag.execmd.execmd.exeWScript.exeWScript.execmd.exedxdiag.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedispdiag.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\Reg\Notif.reg.txt	reg.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\envinfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallEffectiveRules.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WcnInfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\FileSharing.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\envinfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallConfig.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WcnInfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\serviceinfo.log	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\envinfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\envinfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WcnInfo.txt	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\PowershellInfo.log	powershell.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD74.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\Reg\HKLMWlanSvc.reg.txt	reg.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WcnInfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\serviceinfo.log	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\Reg\AllCredFilter.reg.txt	reg.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallConfig.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WcnInfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\neteventslog.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\serviceinfo.log	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallConfig.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallEffectiveRules.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\envinfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\serviceinfo.log	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallConfig.txt	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\dxdiag.txt	dxdiag.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\wlaninfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\osinfo.txt	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\osinfo.txt	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\envinfo.txt	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\dxdiag.txt	dxdiag.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\osinfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallConfig.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallConfig.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Neighbors.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\FileSharing.txt	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\sysportslog.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallConfig.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\wlaninfo.txt	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WcnInfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WcnInfo.txt	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\FileSharing.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\envinfo.txt	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\envinfo.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\osinfo.txt	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\dispdiag_stop.dat	dispdiag.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\sysportslog.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\Dns.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\serviceinfo.log	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WindowsFirewallEffectiveRules.txt	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\config\WcnInfo.txt	cmd.exe

Executes dropped EXE 13 IoCs

Processes:

Everything.exeEverything.exeEverything.exeEverything.exeEverything.exedismhost.exedismhost.exe7z2407-x64.exe7zG.exe3ae49a5b78ab66f58f2d5805940b0f73b46b942dc0ee12bb60bf6ec88425550a.exe7zG.exe7zG.exeMSIDDC3.tmp

pid	process
5000	Everything.exe
3040	Everything.exe
1412	Everything.exe
3684	Everything.exe
2248	Everything.exe
1568	dismhost.exe
3928	dismhost.exe
5104	7z2407-x64.exe
5568	7zG.exe
724	3ae49a5b78ab66f58f2d5805940b0f73b46b942dc0ee12bb60bf6ec88425550a.exe
2932	7zG.exe
5672	7zG.exe
5612	MSIDDC3.tmp

Loads dropped DLL 41 IoCs

Processes:

Everything-1.4.1.1024.x64-Setup.exedismhost.exedismhost.exe7zG.exe7zG.exe7zG.exeMsiExec.exeMsiExec.exeMsiExec.exerundll32.exeEverything.exeMsiExec.exe

pid	process
4572	Everything-1.4.1.1024.x64-Setup.exe
4572	Everything-1.4.1.1024.x64-Setup.exe
4572	Everything-1.4.1.1024.x64-Setup.exe
4572	Everything-1.4.1.1024.x64-Setup.exe
4572	Everything-1.4.1.1024.x64-Setup.exe
4572	Everything-1.4.1.1024.x64-Setup.exe
3928	dismhost.exe
1568	dismhost.exe
3928	dismhost.exe
1568	dismhost.exe
1568	dismhost.exe
3928	dismhost.exe
3928	dismhost.exe
1568	dismhost.exe
3928	dismhost.exe
1568	dismhost.exe
5568	7zG.exe
2932	7zG.exe
5672	7zG.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
6792	MsiExec.exe
6792	MsiExec.exe
6792	MsiExec.exe
6792	MsiExec.exe
6792	MsiExec.exe
6792	MsiExec.exe
5356	MsiExec.exe
5356	MsiExec.exe
1636	rundll32.exe
2248	Everything.exe
6128	MsiExec.exe
6128	MsiExec.exe
6128	MsiExec.exe
6128	MsiExec.exe
6128	MsiExec.exe
6128	MsiExec.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msedge.exevssvc.exedxdiag.exedxdiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID	msedge.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ee7f732e8cf5793f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ee7f732e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ee7f732e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dee7f732e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ee7f732e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	msedge.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 6bd8af319abcda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 6bd8af319abcda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31114493"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "dnlfcx0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077c39540ccae9f4e81716e662d1ce6c0000000000200000000001066000000010000200000005f60eaa219512b50b0fcf37a40d4a757d468e18fb2081a3e081d04b4ecc2fd4f000000000e80000000020000200000004a5339011f32c9e9b79d29e0467ca9ee713cc0f75bb4eb8fdae4951ea130c41b100000009252930b3929d73e06807e38bc555609400000000bb9a75fc609b7fc590d8a6068e4b5b8aba0d28990bc1b38f152c015c541a772715353ca8e5c2116dc4fc7e99038d93d669dff7e0e62c765ff46759c2b8efdda	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077c39540ccae9f4e81716e662d1ce6c00000000002000000000010660000000100002000000008d8d86210753f760245b3e28622ddefb2dfe2db63030f92d23449f70fd14b48000000000e8000000002000020000000397cfd82a2134e5c4bcb353d08a985d69b58a676d25c8476d469d7f8db81207510010000eaac7e4b186bab78c6d07d9614eb4ec6730cde9e96f06960159e8fc1ae9c5ab8728813684170d68c806a2c0adffe245c5778781a9faeb7ac820cd272495a1062659595a0f3014e6d35fe64eea5ad36ed332e4efa096651e2e552f25ee7e14af46b2446eaf9ccb1eca1458d26a13d111bc14d011af291837c87ac3eb96b78db92ec39a7de82949090e97544b69e2206be1f4eeac7c047d2ec245f758eea0e01ef5e5074b8001be1745a656705e01f5a31397808c71e1f277d6ce9f2968767b91899778542c6b68090d9edfa9c47f3fd1d682eee2188830bf141fd2cce421b5ede7f7c078089d7398855407ef22eaed421728195d993df81dbfedaee6b10f0c68a24d53950783f912b2cabbeed362e29b640000000219d9054cfdd2bbb25265ff00f7361d8b129a7239a655bc269f3897fd574bdb0a43be43f80757aebc92f506f54cd7d340572bf9352ff43c1a0dd00cabfd510e2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 6bd8af319abcda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3050961509"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e0000005e03000096020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\Start Page_TIMESTAMP = ae1aa579cfc4da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\SearchScopesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077c39540ccae9f4e81716e662d1ce6c000000000020000000000106600000001000020000000be7b79b2ca4d8dc9f877cb858b9f36886e68056d051b58d186d6889fa298f2fd000000000e8000000002000020000000fd87342e3b825fd48100de715efc3135e128b0a713c7bf2e589eb1e20c5953571000000001727a1b2ae0722e44ec310eb65025ce4000000086b3103e5e1f08c4d3af19264c5cad12def8bfae3ffe113e0a2a2349a1a0d33721651f8101e0558b1aba451c0c7929c8b7eac5f0a46d6459c2a0a1beb0192420	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077c39540ccae9f4e81716e662d1ce6c000000000020000000000106600000001000020000000db58c0a2b0bd04d4f86a6e1b0dd206d9818bcd6ec5c2ffd3dbe0e1d6e79a2af7000000000e8000000002000020000000cb08895ae75c9ae8f966a31dcf79d4ca7ed36e712a3645d5d6e7f9548252e1f15000000081cccd129ddd0d8a434a587e1796dc34cc1b25762ec90f23e2fd8ebc3e48b02878beaea844565a9aabd0695c72325a48bd626bdf8bc805765d0577cf720229eb7758762fea635166a091f5330cfe2b7140000000aaab89ed5baf2ad8ab8871aea42a1995d8c125ad64fa0e3afd49d846c89b5c6f3b101602b90b3527651ecb6fabd419366433e517285dfa9a84af258b4c6d12e7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\SyncHomePage Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077c39540ccae9f4e81716e662d1ce6c00000000002000000000010660000000100002000000061359d7ab09d769bb975833f81de9ec44650761e0ca1ecdade9c4e69115edc86000000000e8000000002000020000000b2ce210c7a1dde135fba3b734df7e96ded0b0832c39c74c4a48f7e7af88b1b9c10000000d7f391f40f71150b7c51632ea4d3848640000000746d4de508960f6aaab95dc55e8d4fe5c09dbda43a69b2259eee5a630bbde7abdf0541d48230258034d0c94dbe92de13f5a674b98d6abffeaa2df67270d71a13	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Recovery	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	iexplore.exe

Modifies registry class 64 IoCs

Processes:

dxdiag.exeEverything.exe7z2407-x64.exeBackgroundTransferHost.exeOpenWith.exedxdiag.exeMiniSearchHost.exeEverything.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\ = "Everything File List"	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command\ = "\"C:\\Program Files\\Everything\\Everything.exe\" -edit \"%1\""	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-952492217-3293592999-1071733403-1000\{DC718F92-AA15-4FEC-B19C-562DA1687416}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Everything.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-952492217-3293592999-1071733403-1000\{A2414BFB-6044-4211-98BF-6A1C5980A5F6}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu\PerceivedType = "text"	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe

NTFS ADS 5 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\3ae49a5b78ab66f58f2d5805940b0f73b46b942dc0ee12bb60bf6ec88425550a.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 773187.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2407-x64.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7ff4167650adecffecfe7ddaedb1a962c3e85074d8ffe2b2237ee3444da34aa1.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6.zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENotepad.exe

pid process

132 NOTEPAD.EXE
5788 Notepad.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

3684 PING.EXE
840 PING.EXE
4920 PING.EXE
4492 PING.EXE

pid	process
132	NOTEPAD.EXE
5788	Notepad.exe

pid	process
3684	PING.EXE
840	PING.EXE
4920	PING.EXE
4492	PING.EXE

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

dxdiag.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsiexec.exeMSIDDC3.tmprundll32.exe

pid	process
3940	dxdiag.exe
3940	dxdiag.exe
4728	powershell.exe
4728	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
2088	msedge.exe
2088	msedge.exe
4904	msedge.exe
4904	msedge.exe
3684	identity_helper.exe
3684	identity_helper.exe
5552	msedge.exe
5552	msedge.exe
5968	msedge.exe
5968	msedge.exe
1560	msedge.exe
1560	msedge.exe
3124	msedge.exe
3124	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
1792	msedge.exe
1792	msedge.exe
6332	msedge.exe
6332	msedge.exe
2152	msiexec.exe
2152	msiexec.exe
5612	MSIDDC3.tmp
5612	MSIDDC3.tmp
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

WScript.exeWScript.exeOpenWith.exe

pid process

5092 WScript.exe
1820 WScript.exe
4236 OpenWith.exe

pid	process
5092	WScript.exe
1820	WScript.exe
4236	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 60 IoCs

Processes:

msedge.exe

pid	process
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exepowercfg.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepowercfg.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeRestorePrivilege	1824	7zFM.exe
Token: 35	1824	7zFM.exe
Token: SeShutdownPrivilege	4668	powercfg.exe
Token: SeCreatePagefilePrivilege	4668	powercfg.exe
Token: SeSecurityPrivilege	804	wevtutil.exe
Token: SeBackupPrivilege	804	wevtutil.exe
Token: SeSecurityPrivilege	4844	wevtutil.exe
Token: SeBackupPrivilege	4844	wevtutil.exe
Token: SeSecurityPrivilege	4768	wevtutil.exe
Token: SeBackupPrivilege	4768	wevtutil.exe
Token: SeSecurityPrivilege	3672	wevtutil.exe
Token: SeBackupPrivilege	3672	wevtutil.exe
Token: SeSecurityPrivilege	576	wevtutil.exe
Token: SeBackupPrivilege	576	wevtutil.exe
Token: SeSecurityPrivilege	936	wevtutil.exe
Token: SeBackupPrivilege	936	wevtutil.exe
Token: SeShutdownPrivilege	1504	powercfg.exe
Token: SeCreatePagefilePrivilege	1504	powercfg.exe
Token: SeSecurityPrivilege	4048	wevtutil.exe
Token: SeBackupPrivilege	4048	wevtutil.exe
Token: SeSecurityPrivilege	4740	wevtutil.exe
Token: SeBackupPrivilege	4740	wevtutil.exe
Token: SeSecurityPrivilege	3872	wevtutil.exe
Token: SeBackupPrivilege	3872	wevtutil.exe
Token: SeSecurityPrivilege	3128	wevtutil.exe
Token: SeBackupPrivilege	3128	wevtutil.exe
Token: SeSecurityPrivilege	804	wevtutil.exe
Token: SeBackupPrivilege	804	wevtutil.exe
Token: SeSecurityPrivilege	1888	wevtutil.exe
Token: SeBackupPrivilege	1888	wevtutil.exe
Token: SeSecurityPrivilege	4644	wevtutil.exe
Token: SeBackupPrivilege	4644	wevtutil.exe
Token: SeSecurityPrivilege	240	wevtutil.exe
Token: SeBackupPrivilege	240	wevtutil.exe
Token: SeSecurityPrivilege	4492	wevtutil.exe
Token: SeBackupPrivilege	4492	wevtutil.exe
Token: SeSecurityPrivilege	804	wevtutil.exe
Token: SeBackupPrivilege	804	wevtutil.exe
Token: SeSecurityPrivilege	2368	wevtutil.exe
Token: SeBackupPrivilege	2368	wevtutil.exe
Token: SeSecurityPrivilege	1776	wevtutil.exe
Token: SeBackupPrivilege	1776	wevtutil.exe
Token: SeSecurityPrivilege	2160	wevtutil.exe
Token: SeBackupPrivilege	2160	wevtutil.exe
Token: SeSecurityPrivilege	2068	wevtutil.exe
Token: SeBackupPrivilege	2068	wevtutil.exe
Token: SeSecurityPrivilege	4424	wevtutil.exe
Token: SeBackupPrivilege	4424	wevtutil.exe
Token: SeSecurityPrivilege	1456	wevtutil.exe
Token: SeBackupPrivilege	1456	wevtutil.exe
Token: SeSecurityPrivilege	4584	wevtutil.exe
Token: SeBackupPrivilege	4584	wevtutil.exe
Token: SeSecurityPrivilege	1112	wevtutil.exe
Token: SeBackupPrivilege	1112	wevtutil.exe
Token: SeSecurityPrivilege	784	wevtutil.exe
Token: SeBackupPrivilege	784	wevtutil.exe
Token: SeSecurityPrivilege	928	wevtutil.exe
Token: SeBackupPrivilege	928	wevtutil.exe
Token: SeSecurityPrivilege	3312	wevtutil.exe
Token: SeBackupPrivilege	3312	wevtutil.exe
Token: SeSecurityPrivilege	3060	wevtutil.exe
Token: SeBackupPrivilege	3060	wevtutil.exe
Token: SeSecurityPrivilege	3060	wevtutil.exe
Token: SeBackupPrivilege	3060	wevtutil.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Everything.exe7zFM.exeiexplore.exemsedge.exe7zG.exe

pid	process
2248	Everything.exe
1824	7zFM.exe
5000	iexplore.exe
5000	iexplore.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
5568	7zG.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

Everything.exemsedge.exe

pid	process
2248	Everything.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

Everything.exedxdiag.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE7z2407-x64.exeOpenWith.exeMiniSearchHost.exe

pid	process
2248	Everything.exe
3940	dxdiag.exe
5000	iexplore.exe
5000	iexplore.exe
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
5000	iexplore.exe
5000	iexplore.exe
4660	IEXPLORE.EXE
4660	IEXPLORE.EXE
5104	7z2407-x64.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
4236	OpenWith.exe
2348	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Everything-1.4.1.1024.x64-Setup.exeEverything.exeEverything.exeWScript.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4572 wrote to memory of 5000	4572	Everything-1.4.1.1024.x64-Setup.exe	Everything.exe
PID 4572 wrote to memory of 5000	4572	Everything-1.4.1.1024.x64-Setup.exe	Everything.exe
PID 5000 wrote to memory of 3040	5000	Everything.exe	Everything.exe
PID 5000 wrote to memory of 3040	5000	Everything.exe	Everything.exe
PID 4572 wrote to memory of 3684	4572	Everything-1.4.1.1024.x64-Setup.exe	Everything.exe
PID 4572 wrote to memory of 3684	4572	Everything-1.4.1.1024.x64-Setup.exe	Everything.exe
PID 4572 wrote to memory of 2248	4572	Everything-1.4.1.1024.x64-Setup.exe	Everything.exe
PID 4572 wrote to memory of 2248	4572	Everything-1.4.1.1024.x64-Setup.exe	Everything.exe
PID 2248 wrote to memory of 2408	2248	Everything.exe	WScript.exe
PID 2248 wrote to memory of 2408	2248	Everything.exe	WScript.exe
PID 2248 wrote to memory of 2232	2248	Everything.exe	WScript.exe
PID 2248 wrote to memory of 2232	2248	Everything.exe	WScript.exe
PID 2248 wrote to memory of 1672	2248	Everything.exe	WScript.exe
PID 2248 wrote to memory of 1672	2248	Everything.exe	WScript.exe
PID 2248 wrote to memory of 5092	2248	Everything.exe	WScript.exe
PID 2248 wrote to memory of 5092	2248	Everything.exe	WScript.exe
PID 5092 wrote to memory of 1492	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 1492	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 4308	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 4308	5092	WScript.exe	cmd.exe
PID 4308 wrote to memory of 3340	4308	cmd.exe	reg.exe
PID 4308 wrote to memory of 3340	4308	cmd.exe	reg.exe
PID 5092 wrote to memory of 3436	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 3436	5092	WScript.exe	cmd.exe
PID 3436 wrote to memory of 4924	3436	cmd.exe	reg.exe
PID 3436 wrote to memory of 4924	3436	cmd.exe	reg.exe
PID 5092 wrote to memory of 4628	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 4628	5092	WScript.exe	cmd.exe
PID 4628 wrote to memory of 3664	4628	cmd.exe	reg.exe
PID 4628 wrote to memory of 3664	4628	cmd.exe	reg.exe
PID 5092 wrote to memory of 1976	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 1976	5092	WScript.exe	cmd.exe
PID 1976 wrote to memory of 232	1976	cmd.exe	reg.exe
PID 1976 wrote to memory of 232	1976	cmd.exe	reg.exe
PID 5092 wrote to memory of 4888	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 4888	5092	WScript.exe	cmd.exe
PID 4888 wrote to memory of 4576	4888	cmd.exe	reg.exe
PID 4888 wrote to memory of 4576	4888	cmd.exe	reg.exe
PID 5092 wrote to memory of 3444	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 3444	5092	WScript.exe	cmd.exe
PID 3444 wrote to memory of 4168	3444	cmd.exe	reg.exe
PID 3444 wrote to memory of 4168	3444	cmd.exe	reg.exe
PID 5092 wrote to memory of 4648	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 4648	5092	WScript.exe	cmd.exe
PID 4648 wrote to memory of 2552	4648	cmd.exe	reg.exe
PID 4648 wrote to memory of 2552	4648	cmd.exe	reg.exe
PID 5092 wrote to memory of 2912	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 2912	5092	WScript.exe	cmd.exe
PID 2912 wrote to memory of 1068	2912	cmd.exe	reg.exe
PID 2912 wrote to memory of 1068	2912	cmd.exe	reg.exe
PID 5092 wrote to memory of 3244	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 3244	5092	WScript.exe	cmd.exe
PID 3244 wrote to memory of 3440	3244	cmd.exe	reg.exe
PID 3244 wrote to memory of 3440	3244	cmd.exe	reg.exe
PID 5092 wrote to memory of 4520	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 4520	5092	WScript.exe	cmd.exe
PID 4520 wrote to memory of 5096	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 5096	4520	cmd.exe	reg.exe
PID 5092 wrote to memory of 1100	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 1100	5092	WScript.exe	cmd.exe
PID 1100 wrote to memory of 1552	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1552	1100	cmd.exe	reg.exe
PID 5092 wrote to memory of 3948	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 3948	5092	WScript.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\nsp4539.tmp\Everything\Everything.exe
  "C:\Users\Admin\AppData\Local\Temp\nsp4539.tmp\Everything\Everything.exe" -install "C:\Program Files\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Program Files\Everything\Everything.exe
    "C:\Program Files\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    - Modifies registry class
    PID:3040
- C:\Program Files\Everything\Everything.exe
  "C:\Program Files\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1033
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Program Files\Everything\Everything.exe
  "C:\Program Files\Everything\Everything.exe"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.22000.282_none_cfe0738266c4e593\f\winrm.vbs"
    3⤵
    PID:2408
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.22000.282_none_c58bc93032642398\f\winrm.vbs"
    3⤵
    PID:2232
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\WinSxS\wow64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_10.0.22000.1_en-us_6f45a7ee857a27e7\pubprn.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\gatherNetworkInfo.vbs"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c gpresult /scope:computer /v 1> config\gpresult.txt 2>&1
      4⤵
      PID:1492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
        5⤵
        
        PID:3340
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
        5⤵
        
        PID:4924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
        5⤵
        
        PID:3664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
        5⤵
        
        PID:232
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
        5⤵
        
        PID:4576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
        5⤵
        
        PID:4168
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
        5⤵
        
        PID:2552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
        5⤵
        
        PID:1068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\system32\reg.exe
        
        reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
        5⤵
        
        PID:3440
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
        5⤵
        Drops file in Windows directory
        
        PID:5096
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
        5⤵
        
        PID:1552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
      4⤵
      PID:3948
    - - C:\Windows\system32\reg.exe
        
        reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
        5⤵
        
        PID:896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
      4⤵
      PID:4280
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
        5⤵
        
        PID:3384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
      4⤵
      PID:1332
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
        5⤵
        
        PID:4736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y
      4⤵
      PID:4184
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y
        5⤵
        
        PID:2324
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c set processor >> config\osinfo.txt
      4⤵
      PID:2296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c systeminfo >> config\osinfo.txt
      4⤵
      PID:3500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c set u >> config\osinfo.txt
      4⤵
      PID:1932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powercfg.exe /batteryreport /output config\battery-report.html
      4⤵
      Power Settings
      PID:3300
    - - C:\Windows\system32\powercfg.exe
        
        powercfg.exe /batteryreport /output config\battery-report.html
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist /svc > processes.txt
      4⤵
      PID:3540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
      4⤵
      PID:3036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WLANAutoConfigLog.evtx
      4⤵
      PID:240
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WLANAutoConfigLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx
      4⤵
      PID:4356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WCMLog.evtx
      4⤵
      PID:4952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WCMLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx
      4⤵
      PID:2668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WWANLog.evtx
      4⤵
      PID:2052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WWANLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wlan show all > config\envinfo.txt
      4⤵
      Drops file in Windows directory
      PID:1236
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh lan show interfaces >> config\envinfo.txt
      4⤵
      PID:1456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh lan show settings >> config\envinfo.txt
      4⤵
      Drops file in Windows directory
      PID:3860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh lan show profiles >> config\envinfo.txt
      4⤵
      Drops file in Windows directory
      PID:4860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh mbn show interfaces >> config\envinfo.txt
      4⤵
      PID:4528
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh mbn show profile name=* interface=* >> config\envinfo.txt
      4⤵
      PID:2408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh mbn show readyinfo interface=* >> config\envinfo.txt
      4⤵
      PID:4764
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh mbn show capability interface=* >> config\envinfo.txt
      4⤵
      PID:4092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\envinfo.txt
      4⤵
      PID:1592
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\envinfo.txt
      4⤵
      PID:132
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ROUTE PRINT: >> config\envinfo.txt
      4⤵
      PID:4560
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c route print >> config\envinfo.txt
      4⤵
      PID:3888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent My >> config\envinfo.txt
      4⤵
      PID:1572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent -user My >> config\envinfo.txt
      4⤵
      PID:4256
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent root >> config\envinfo.txt
      4⤵
      Drops file in Windows directory
      PID:1888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -enterprise -store -silent NTAuth >> config\envinfo.txt
      4⤵
      PID:3428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -user -store -silent root >> config\envinfo.txt
      4⤵
      PID:3864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh winsock show catalog > config\WinsockCatalog.txt
      4⤵
      PID:1980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Current Profiles: > config\WindowsFirewallConfig.txt
      4⤵
      PID:2888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      PID:3384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show currentprofile >> config\WindowsFirewallConfig.txt
      4⤵
      Drops file in Windows directory
      PID:4076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Firewall Configuration: >> config\WindowsFirewallConfig.txt
      4⤵
      Drops file in Windows directory
      PID:2416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      PID:1072
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall >> config\WindowsFirewallConfig.txt
      4⤵
      PID:2408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Connection Security Configuration: >> config\WindowsFirewallConfig.txt
      4⤵
      PID:3036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      PID:4004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec >> config\WindowsFirewallConfig.txt
      4⤵
      PID:2264
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Firewall Rules : >> config\WindowsFirewallConfig.txt
      4⤵
      PID:3436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      PID:1568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name=all verbose >> config\WindowsFirewallConfig.txt
      4⤵
      PID:4352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules : >> config\WindowsFirewallConfig.txt
      4⤵
      PID:5000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      PID:4616
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1196
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall consec show rule name=all verbose >> config\WindowsFirewallConfig.txt
      4⤵
      Drops file in Windows directory
      PID:5096
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Firewall Rules currently enforced : > config\WindowsFirewallEffectiveRules.txt
      4⤵
      Drops file in Windows directory
      PID:3536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      Drops file in Windows directory
      PID:3612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall rule name=all >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:560
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules currently enforced : >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:3692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:3300
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3600
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec rule name=all >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:3392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
      4⤵
      PID:1832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLog.evtx
      4⤵
      PID:4092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WindowsFirewallLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
      4⤵
      PID:2328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLog.evtx
      4⤵
      PID:4768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WindowsFirewallConsecLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
      4⤵
      PID:4976
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLogVerbose.evtx
      4⤵
      PID:2496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WindowsFirewallLogVerbose.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
      4⤵
      PID:5072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
      4⤵
      PID:1176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c dxdiag /t dxdiag.txt
      4⤵
      PID:2016
    - - C:\Windows\system32\dxdiag.exe
        
        dxdiag /t dxdiag.txt
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c dispdiag -out dispdiag_stop.dat
      4⤵
      PID:3272
    - - C:\Windows\system32\dispdiag.exe
        
        dispdiag -out dispdiag_stop.dat
        5⤵
        Drops file in Windows directory
        
        PID:1592
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c time /t >> config\wlaninfo.txt
      4⤵
      Drops file in Windows directory
      PID:4652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wl show i >> config\wlaninfo.txt
      4⤵
      PID:4588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wl show d >> config\wlaninfo.txt
      4⤵
      PID:2912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wlan show interfaces >> config\wlaninfo.txt
      4⤵
      PID:4576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wlan sho net m=b >> config\wlaninfo.txt
      4⤵
      PID:1908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query wcncsvc >> config\WcnInfo.txt
      4⤵
      Drops file in Windows directory
      PID:2464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query wlansvc >> config\WcnInfo.txt
      4⤵
      PID:496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
      4⤵
      PID:2612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query fdrespub >> config\WcnInfo.txt
      4⤵
      PID:2320
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query upnphost >> config\WcnInfo.txt
      4⤵
      Drops file in Windows directory
      PID:4092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
      4⤵
      PID:5016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\WcnInfo.txt
      4⤵
      PID:4560
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wlan show device >> config\WcnInfo.txt
      4⤵
      PID:2912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters >> config\WcnInfo.txt
      4⤵
      PID:4280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall show currentprofile >> config\WcnInfo.txt
      4⤵
      Drops file in Windows directory
      PID:1788
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh interface teredo show state > config\netiostate.txt
      4⤵
      PID:3312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show interface >> config\netiostate.txt
      4⤵
      PID:1072
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show statistics >> config\netiostate.txt
      4⤵
      PID:4844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo IPCONFIG /DISPLAYDNS: >> config\Dns.txt
      4⤵
      PID:4000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /displaydns >> config\Dns.txt
      4⤵
      PID:4736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
      4⤵
      PID:2920
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW EFFECTIVE: >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:3888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh namespace show effective >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:3988
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
      4⤵
      PID:1908
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW POLICY: >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:2496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh namespace show policy >> config\Dns.txt
      4⤵
      PID:804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ARP -A: >> config\Neighbors.txt
      4⤵
      PID:2680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a >> config\Neighbors.txt
      4⤵
      Drops file in Windows directory
      PID:3124
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\Neighbors.txt
      4⤵
      PID:3524
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NETSH INT IPV6 SHOW NEIGHBORS: >> config\Neighbors.txt
      4⤵
      PID:4428
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh int ipv6 show neigh >> config\Neighbors.txt
      4⤵
      PID:2920
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -N: >> config\FileSharing.txt
      4⤵
      PID:4604
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c nbtstat -n >> config\FileSharing.txt
      4⤵
      PID:2292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
      4⤵
      PID:4564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -C: >> config\FileSharing.txt
      4⤵
      PID:4668
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c nbtstat -c >> config\FileSharing.txt
      4⤵
      PID:3484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
      4⤵
      PID:4512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NET CONFIG RDR: >> config\FileSharing.txt
      4⤵
      PID:4804
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net config rdr >> config\FileSharing.txt
      4⤵
      Drops file in Windows directory
      PID:3008
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
      4⤵
      PID:3852
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NET CONFIG SRV: >> config\FileSharing.txt
      4⤵
      PID:724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net config srv >> config\FileSharing.txt
      4⤵
      PID:5016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
      4⤵
      PID:2536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NET SHARE: >> config\FileSharing.txt
      4⤵
      PID:5076
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4604
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net share >> config\FileSharing.txt
      4⤵
      PID:4280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wfp show netevents file=config\netevents.xml 1> config\neteventslog.txt 2>&1
      4⤵
      Drops file in Windows directory
      PID:996
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wfp show state file=config\wfpstate.xml 1> config\wfpstatelog.txt 2>&1
      4⤵
      PID:5008
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wfp show sysports file=config\sysports.xml 1> config\sysportslog.txt 2>&1
      4⤵
      Drops file in Windows directory
      PID:3312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx
      4⤵
      PID:3444
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\VmSwitchLog.evtx
      4⤵
      PID:3752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\VmSwitchLog.evtx
        5⤵
        
        PID:4716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx
      4⤵
      PID:4648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx
        5⤵
        
        PID:5016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\VmmsNetworkingLog.evtx
      4⤵
      PID:2388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\VmmsNetworkingLog.evtx
        5⤵
        
        PID:2160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wmic qfe >> config\Hotfixinfo.log
      4⤵
      PID:896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe queryex nativewifip >> config\serviceinfo.log
      4⤵
      PID:1176
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe qc nativewifip >> config\serviceinfo.log
      4⤵
      Drops file in Windows directory
      PID:2356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe queryex wlansvc >> config\serviceinfo.log
      4⤵
      PID:4740
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe qc wlansvc >> config\serviceinfo.log
      4⤵
      PID:3036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe queryex dhcp >> config\serviceinfo.log
      4⤵
      PID:1568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe qc dhcp >> config\serviceinfo.log
      4⤵
      Drops file in Windows directory
      PID:4972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg.exe query hklm\system\CurrentControlSet\Services\Winsock\Parameters /v Transports >> config\winsock.log
      4⤵
      PID:4716
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg.exe query "hklm\system\CurrentControlSet\Services\Winsock\Setup Migration" /v "Provider List" >> config\winsock.log
      4⤵
      PID:4000
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3916
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh.exe winsock show catalog >> config\winsock.log
      4⤵
      PID:3000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:64
      4⤵
      PID:4584
    - - C:\Windows\system32\reg.exe
        
        Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:64
        5⤵
        
        PID:1228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:64
      4⤵
      PID:4612
    - - C:\Windows\system32\reg.exe
        
        Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:64
        5⤵
        
        PID:4172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:64
      4⤵
      PID:1932
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4888
    - - C:\Windows\system32\reg.exe
        
        Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:64
        5⤵
        
        PID:400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:64
      4⤵
      PID:4744
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4668
    - - C:\Windows\system32\reg.exe
        
        Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:64
        5⤵
        
        PID:1292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $net_adapter=(Get-NetAdapter -IncludeHidden); $output= ($net_adapter); $output += ($net_adapter | fl *); $output += (Get-NetAdapterAdvancedProperty | fl); $net_adapter_bindings=(Get-NetAdapterBinding -IncludeHidden); $output += ($net_adapter_bindings); $output += ($net_adapter_bindings | fl); $output += (Get-NetIpConfiguration -Detailed); $output += (Get-DnsClientNrptPolicy); $output += (Resolve-DnsName bing.com); $output += (ping bing.com -4); $output += (ping bing.com -6); $output += (Test-NetConnection bing.com -InformationLevel Detailed); $output += (Test-NetConnection bing.com -InformationLevel Detailed -CommonTCPPort HTTP); $output += (Get-NetRoute); $output += (Get-NetIPaddress); $output += (Get-NetLbfoTeam); $output += (Get-Service -Name:VMMS); $output += (Get-VMSwitch); $output += "(Get-VMNetworkAdapter -all)"; $output += (Get-DnsClientNrptPolicy); $output += (Get-WindowsOptionalFeature -Online); $output += (Get-Service | fl); $pnp_devices = (Get-PnpDevice); $output += ($pnp_devices); $output += ($pnp_devices | Get-PnpDeviceProperty -KeyName DEVPKEY_Device_InstanceId,DEVPKEY_Device_DevNodeStatus,DEVPKEY_Device_ProblemCode); $output | Out-File config\PowershellInfo.log
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:4728
    - - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" bing.com -4
        5⤵
        Runs ping.exe
        
        PID:3684
    - - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" bing.com -6
        5⤵
        Runs ping.exe
        
        PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\2FC99637-3E38-4C74-AEF4-89D380603B03\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\2FC99637-3E38-4C74-AEF4-89D380603B03\dismhost.exe {791193FA-89AD-4B70-B140-B7FD469F8D19}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\gatherNetworkInfo.vbs"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c gpresult /scope:computer /v 1> config\gpresult.txt 2>&1
      4⤵
      PID:4092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
      4⤵
      PID:2748
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
        5⤵
        Drops file in Windows directory
        
        PID:984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
      4⤵
      PID:3656
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
        5⤵
        
        PID:3780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
      4⤵
      PID:2832
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
        5⤵
        Drops file in Windows directory
        
        PID:3008
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
      4⤵
      PID:2240
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
        5⤵
        
        PID:2440
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
      4⤵
      PID:4700
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
        5⤵
        
        PID:1348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
      4⤵
      PID:1196
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
        5⤵
        
        PID:4616
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
      4⤵
      PID:1552
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
        5⤵
        
        PID:4216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
      4⤵
      PID:3464
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
        5⤵
        
        PID:3884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
      4⤵
      PID:4076
    - - C:\Windows\system32\reg.exe
        
        reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
        5⤵
        
        PID:4884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
      4⤵
      PID:3880
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
        5⤵
        
        PID:2416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
      4⤵
      PID:2660
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
        5⤵
        
        PID:4384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
      4⤵
      PID:3532
    - - C:\Windows\system32\reg.exe
        
        reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
        5⤵
        
        PID:1872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
      4⤵
      PID:3928
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
        5⤵
        
        PID:4740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
      4⤵
      PID:3868
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3656
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
        5⤵
        
        PID:2864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y
      4⤵
      PID:3008
    - - C:\Windows\system32\reg.exe
        
        reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y
        5⤵
        
        PID:4652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c set processor >> config\osinfo.txt
      4⤵
      Drops file in Windows directory
      PID:4960
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c systeminfo >> config\osinfo.txt
      4⤵
      Drops file in Windows directory
      PID:1236
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c set u >> config\osinfo.txt
      4⤵
      PID:1352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powercfg.exe /batteryreport /output config\battery-report.html
      4⤵
      Power Settings
      PID:3940
    - - C:\Windows\system32\powercfg.exe
        
        powercfg.exe /batteryreport /output config\battery-report.html
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist /svc > processes.txt
      4⤵
      PID:3600
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
      4⤵
      PID:3540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WLANAutoConfigLog.evtx
      4⤵
      PID:4500
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WLANAutoConfigLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx
      4⤵
      PID:3408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WCMLog.evtx
      4⤵
      PID:4144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WCMLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx
      4⤵
      PID:4348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WWANLog.evtx
      4⤵
      PID:2308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WWANLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wlan show all > config\envinfo.txt
      4⤵
      PID:4520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh lan show interfaces >> config\envinfo.txt
      4⤵
      PID:3520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh lan show settings >> config\envinfo.txt
      4⤵
      PID:4280
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh lan show profiles >> config\envinfo.txt
      4⤵
      Drops file in Windows directory
      PID:3700
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh mbn show interfaces >> config\envinfo.txt
      4⤵
      PID:1920
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh mbn show profile name=* interface=* >> config\envinfo.txt
      4⤵
      PID:2808
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh mbn show readyinfo interface=* >> config\envinfo.txt
      4⤵
      PID:488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh mbn show capability interface=* >> config\envinfo.txt
      4⤵
      PID:3540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\envinfo.txt
      4⤵
      PID:4308
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\envinfo.txt
      4⤵
      PID:2264
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ROUTE PRINT: >> config\envinfo.txt
      4⤵
      PID:1508
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:132
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c route print >> config\envinfo.txt
      4⤵
      Drops file in Windows directory
      PID:4144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent My >> config\envinfo.txt
      4⤵
      PID:1228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent -user My >> config\envinfo.txt
      4⤵
      Drops file in Windows directory
      PID:1484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent root >> config\envinfo.txt
      4⤵
      PID:4616
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -enterprise -store -silent NTAuth >> config\envinfo.txt
      4⤵
      PID:996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -v -user -store -silent root >> config\envinfo.txt
      4⤵
      PID:4736
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh winsock show catalog > config\WinsockCatalog.txt
      4⤵
      PID:656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Current Profiles: > config\WindowsFirewallConfig.txt
      4⤵
      Drops file in Windows directory
      PID:1332
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      PID:4964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show currentprofile >> config\WindowsFirewallConfig.txt
      4⤵
      PID:3548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Firewall Configuration: >> config\WindowsFirewallConfig.txt
      4⤵
      PID:496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      Drops file in Windows directory
      PID:4872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall >> config\WindowsFirewallConfig.txt
      4⤵
      PID:4208
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Connection Security Configuration: >> config\WindowsFirewallConfig.txt
      4⤵
      Drops file in Windows directory
      PID:4636
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      PID:4644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec >> config\WindowsFirewallConfig.txt
      4⤵
      PID:3780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Firewall Rules : >> config\WindowsFirewallConfig.txt
      4⤵
      PID:1976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      PID:4500
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name=all verbose >> config\WindowsFirewallConfig.txt
      4⤵
      PID:4472
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules : >> config\WindowsFirewallConfig.txt
      4⤵
      PID:3656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
      4⤵
      Drops file in Windows directory
      PID:1692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall consec show rule name=all verbose >> config\WindowsFirewallConfig.txt
      4⤵
      PID:1884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Firewall Rules currently enforced : > config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:3240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      Drops file in Windows directory
      PID:2684
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall rule name=all >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:2368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules currently enforced : >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:4692
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec rule name=all >> config\WindowsFirewallEffectiveRules.txt
      4⤵
      PID:1604
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
      4⤵
      PID:1552
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLog.evtx
      4⤵
      PID:1236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WindowsFirewallLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
      4⤵
      PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLog.evtx
      4⤵
      PID:3632
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WindowsFirewallConsecLog.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
      4⤵
      PID:3844
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLogVerbose.evtx
      4⤵
      PID:4964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WindowsFirewallLogVerbose.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
      4⤵
      PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
      4⤵
      PID:3916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c dxdiag /t dxdiag.txt
      4⤵
      PID:3408
    - - C:\Windows\system32\dxdiag.exe
        
        dxdiag /t dxdiag.txt
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies registry class
        
        PID:4984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c dispdiag -out dispdiag_stop.dat
      4⤵
      PID:4088
    - - C:\Windows\system32\dispdiag.exe
        
        dispdiag -out dispdiag_stop.dat
        5⤵
        
        PID:4584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c time /t >> config\wlaninfo.txt
      4⤵
      PID:1104
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wl show i >> config\wlaninfo.txt
      4⤵
      PID:5084
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wl show d >> config\wlaninfo.txt
      4⤵
      PID:2952
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wlan show interfaces >> config\wlaninfo.txt
      4⤵
      PID:3728
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wlan sho net m=b >> config\wlaninfo.txt
      4⤵
      PID:3752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query wcncsvc >> config\WcnInfo.txt
      4⤵
      Drops file in Windows directory
      PID:2328
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query wlansvc >> config\WcnInfo.txt
      4⤵
      Drops file in Windows directory
      PID:1028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
      4⤵
      PID:1452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query fdrespub >> config\WcnInfo.txt
      4⤵
      PID:4584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query upnphost >> config\WcnInfo.txt
      4⤵
      PID:104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
      4⤵
      Drops file in Windows directory
      PID:4840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\WcnInfo.txt
      4⤵
      Drops file in Windows directory
      PID:1976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wlan show device >> config\WcnInfo.txt
      4⤵
      PID:3916
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters >> config\WcnInfo.txt
      4⤵
      PID:4632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall show currentprofile >> config\WcnInfo.txt
      4⤵
      PID:4648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh interface teredo show state > config\netiostate.txt
      4⤵
      PID:4140
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show interface >> config\netiostate.txt
      4⤵
      PID:4976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show statistics >> config\netiostate.txt
      4⤵
      PID:132
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo IPCONFIG /DISPLAYDNS: >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:3464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /displaydns >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:3444
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW EFFECTIVE: >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh namespace show effective >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:5016
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW POLICY: >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:3364
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh namespace show policy >> config\Dns.txt
      4⤵
      Drops file in Windows directory
      PID:2160
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo ARP -A: >> config\Neighbors.txt
      4⤵
      PID:2712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a >> config\Neighbors.txt
      4⤵
      PID:2068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\Neighbors.txt
      4⤵
      PID:2232
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NETSH INT IPV6 SHOW NEIGHBORS: >> config\Neighbors.txt
      4⤵
      PID:3700
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh int ipv6 show neigh >> config\Neighbors.txt
      4⤵
      PID:3928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -N: >> config\FileSharing.txt
      4⤵
      Drops file in Windows directory
      PID:240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c nbtstat -n >> config\FileSharing.txt
      4⤵
      PID:4000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
      4⤵
      PID:4648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -C: >> config\FileSharing.txt
      4⤵
      PID:4560
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c nbtstat -c >> config\FileSharing.txt
      4⤵
      PID:4676
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
      4⤵
      PID:3532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NET CONFIG RDR: >> config\FileSharing.txt
      4⤵
      PID:4888
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net config rdr >> config\FileSharing.txt
      4⤵
      Drops file in Windows directory
      PID:1884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
      4⤵
      PID:804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NET CONFIG SRV: >> config\FileSharing.txt
      4⤵
      PID:2320
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1592
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net config srv >> config\FileSharing.txt
      4⤵
      PID:4588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
      4⤵
      PID:1228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NET SHARE: >> config\FileSharing.txt
      4⤵
      PID:4468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net share >> config\FileSharing.txt
      4⤵
      PID:3320
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wfp show netevents file=config\netevents.xml 1> config\neteventslog.txt 2>&1
      4⤵
      PID:1932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wfp show state file=config\wfpstate.xml 1> config\wfpstatelog.txt 2>&1
      4⤵
      PID:4380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh wfp show sysports file=config\sysports.xml 1> config\sysportslog.txt 2>&1
      4⤵
      Drops file in Windows directory
      PID:4960
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx
      4⤵
      PID:1672
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx
        5⤵
        
        PID:2088
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\VmSwitchLog.evtx
      4⤵
      PID:3672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\VmSwitchLog.evtx
        5⤵
        
        PID:1696
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx
      4⤵
      PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx
        5⤵
        
        PID:3684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wevtutil al config\VmmsNetworkingLog.evtx
      4⤵
      PID:1228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil al config\VmmsNetworkingLog.evtx
        5⤵
        
        PID:4468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wmic qfe >> config\Hotfixinfo.log
      4⤵
      PID:2196
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe queryex nativewifip >> config\serviceinfo.log
      4⤵
      Drops file in Windows directory
      PID:3872
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:132
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe qc nativewifip >> config\serviceinfo.log
      4⤵
      Drops file in Windows directory
      PID:280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe queryex wlansvc >> config\serviceinfo.log
      4⤵
      Drops file in Windows directory
      PID:1636
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe qc wlansvc >> config\serviceinfo.log
      4⤵
      PID:4924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe queryex dhcp >> config\serviceinfo.log
      4⤵
      PID:3272
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc.exe qc dhcp >> config\serviceinfo.log
      4⤵
      PID:3124
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg.exe query hklm\system\CurrentControlSet\Services\Winsock\Parameters /v Transports >> config\winsock.log
      4⤵
      PID:4060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg.exe query "hklm\system\CurrentControlSet\Services\Winsock\Setup Migration" /v "Provider List" >> config\winsock.log
      4⤵
      PID:3460
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh.exe winsock show catalog >> config\winsock.log
      4⤵
      PID:716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:64
      4⤵
      PID:3816
    - - C:\Windows\system32\reg.exe
        
        Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:64
        5⤵
        
        PID:4516
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:64
      4⤵
      PID:3320
    - - C:\Windows\system32\reg.exe
        
        Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:64
        5⤵
        
        PID:4860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:64
      4⤵
      PID:3704
    - - C:\Windows\system32\reg.exe
        
        Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:64
        5⤵
        
        PID:2176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:64
      4⤵
      PID:4160
    - - C:\Windows\system32\reg.exe
        
        Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:64
        5⤵
        
        PID:3056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $net_adapter=(Get-NetAdapter -IncludeHidden); $output= ($net_adapter); $output += ($net_adapter | fl *); $output += (Get-NetAdapterAdvancedProperty | fl); $net_adapter_bindings=(Get-NetAdapterBinding -IncludeHidden); $output += ($net_adapter_bindings); $output += ($net_adapter_bindings | fl); $output += (Get-NetIpConfiguration -Detailed); $output += (Get-DnsClientNrptPolicy); $output += (Resolve-DnsName bing.com); $output += (ping bing.com -4); $output += (ping bing.com -6); $output += (Test-NetConnection bing.com -InformationLevel Detailed); $output += (Test-NetConnection bing.com -InformationLevel Detailed -CommonTCPPort HTTP); $output += (Get-NetRoute); $output += (Get-NetIPaddress); $output += (Get-NetLbfoTeam); $output += (Get-Service -Name:VMMS); $output += (Get-VMSwitch); $output += "(Get-VMNetworkAdapter -all)"; $output += (Get-DnsClientNrptPolicy); $output += (Get-WindowsOptionalFeature -Online); $output += (Get-Service | fl); $pnp_devices = (Get-PnpDevice); $output += ($pnp_devices); $output += ($pnp_devices | Get-PnpDeviceProperty -KeyName DEVPKEY_Device_InstanceId,DEVPKEY_Device_DevNodeStatus,DEVPKEY_Device_ProblemCode); $output | Out-File config\PowershellInfo.log
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3636
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:584
    - - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" bing.com -4
        5⤵
        Runs ping.exe
        
        PID:840
    - - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" bing.com -6
        5⤵
        Runs ping.exe
        
        PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\B93923B3-55A0-4C6B-B98D-3A648649A7C6\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\B93923B3-55A0-4C6B-B98D-3A648649A7C6\dismhost.exe {FF2B167B-4DDA-4D78-A8AF-C880243F5F33}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1568
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Microsoft Office\Office16\OSPP.VBS"
    3⤵
    PID:1568
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Microsoft Office\Office16\OSPP.VBS"
    3⤵
    PID:4508
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\winrm.vbs"
    3⤵
    PID:3880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\winrm.vbs"
    3⤵
    PID:4912
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\AEJOLBD8\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js"
    3⤵
    PID:7008
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\FA3XQX0E\4-xJy3tX6bM2BGl5zKioiEcQ1TU[1].css
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:132
- - C:\Windows\System32\Notepad.exe
    "C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\AEJOLBD8\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5788

C:\Program Files\Everything\Everything.exe
"C:\Program Files\Everything\Everything.exe" -svc
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3084

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Windows\WinSxS\amd64_microsoft-windows-exploitguard-adm_31bf3856ad364e35_10.0.22000.1_none_434a2f7a3fa5e4b3\ExploitGuard.admx"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1824

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5000
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:82948 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c0e83cb8,0x7ff9c0e83cc8,0x7ff9c0e83cd8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6816 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Users\Admin\Downloads\7z2407-x64.exe
  "C:\Users\Admin\Downloads\7z2407-x64.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5860 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7808 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8408 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9400 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9348 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9520 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9360 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9372 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8556 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8452 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9740 /prefetch:1
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9744 /prefetch:1
  2⤵
  PID:6180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8232 /prefetch:1
  2⤵
  PID:6188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10112 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9276 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10596 /prefetch:1
  2⤵
  PID:6984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10617743273386068403,14799720191319424082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:5952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4744

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\3ae49a5b78ab66f58f2d5805940b0f73b46b942dc0ee12bb60bf6ec88425550a\" -ad -an -ai#7zMap30930:190:7zEvent2528
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5568

C:\Users\Admin\Downloads\3ae49a5b78ab66f58f2d5805940b0f73b46b942dc0ee12bb60bf6ec88425550a\3ae49a5b78ab66f58f2d5805940b0f73b46b942dc0ee12bb60bf6ec88425550a.exe
"C:\Users\Admin\Downloads\3ae49a5b78ab66f58f2d5805940b0f73b46b942dc0ee12bb60bf6ec88425550a\3ae49a5b78ab66f58f2d5805940b0f73b46b942dc0ee12bb60bf6ec88425550a.exe"
1⤵
- Executes dropped EXE
PID:724

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15420:190:7zEvent12280
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932

\??\E:\New Project Sets KV222LLV1.exe
"E:\New Project Sets KV222LLV1.exe"
1⤵
PID:896

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30974:190:7zEvent12716
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5672

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6.msi"
1⤵
- Enumerates connected drives
PID:2084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2152
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2721A5AB267611728A71D7237D24BF53 C
  2⤵
  - Loads dropped DLL
  PID:5004
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 46CD23242DF3415BC299E19D73700241 C
  2⤵
  - Loads dropped DLL
  PID:6792
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4396
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 95687F2DC7A0ED7F23E3D2620291E2CA
  2⤵
  - Loads dropped DLL
  PID:5356
- C:\Windows\Installer\MSIDDC3.tmp
  "C:\Windows\Installer\MSIDDC3.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Roaming\aclui.dll, edit
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3768E49EC5F2DA8AE155E17076570836 C
  2⤵
  - Loads dropped DLL
  PID:6128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1528

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6.msi"
1⤵
- Enumerates connected drives
PID:5932

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aclui.dll, edit
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1636

\??\E:\New Project Sets KV222LLV1.exe
"E:\New Project Sets KV222LLV1.exe"
1⤵
PID:6208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:6800

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2348

\??\E:\New Project Sets KV222LLV1.exe
"E:\New Project Sets KV222LLV1.exe"
1⤵
PID:4328

\??\E:\New Project Sets KV222LLV1.exe
"E:\New Project Sets KV222LLV1.exe"
1⤵
PID:1068

\??\E:\New Project Sets KV222LLV1.exe
"E:\New Project Sets KV222LLV1.exe"
1⤵
PID:4016

\??\E:\New Project Sets KV222LLV1.exe
"E:\New Project Sets KV222LLV1.exe"
1⤵
PID:3444

\??\E:\New Project Sets KV222LLV1.exe
"E:\New Project Sets KV222LLV1.exe"
1⤵
PID:6964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1888

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4364

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6.msi"
1⤵
- Enumerates connected drives
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery