xred | 9deda7281dac54a2b7900300b1633a01da0dd33221f8c4a03c1691e871336483

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	UNBANSEVER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	UNBANSEVER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	._cache_UNBANSEVER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	SecurityHealthSystray.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registry.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registry.lnk	SecurityHealthSystray.exe

Executes dropped EXE 8 IoCs

pid	Process
2548	UNBANSEVER.exe
4548	svchost.exe
4712	._cache_UNBANSEVER.exe
3772	Synaptics.exe
3180	UNBANSEVER.exe
552	SecurityHealthSystray.exe
2660	Registry
2456	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	UNBANSEVER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "C:\\ProgramData\\Registry"	SecurityHealthSystray.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UNBANSEVER.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Kills process with taskkill 36 IoCs

evasion

pid	Process
2896	taskkill.exe
4988	taskkill.exe
1916	taskkill.exe
1988	taskkill.exe
3936	taskkill.exe
2004	taskkill.exe
5096	taskkill.exe
1988	taskkill.exe
1016	taskkill.exe
3788	taskkill.exe
756	taskkill.exe
1472	taskkill.exe
3132	taskkill.exe
2960	taskkill.exe
352	taskkill.exe
3960	taskkill.exe
2876	taskkill.exe
2716	taskkill.exe
3944	taskkill.exe
464	taskkill.exe
4944	taskkill.exe
3140	taskkill.exe
4632	taskkill.exe
460	taskkill.exe
5036	taskkill.exe
3332	taskkill.exe
3316	taskkill.exe
4476	taskkill.exe
3680	taskkill.exe
4500	taskkill.exe
3624	taskkill.exe
3080	taskkill.exe
5036	taskkill.exe
2192	taskkill.exe
4980	taskkill.exe
1972	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	UNBANSEVER.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2716	schtasks.exe
4536	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2468	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2020	powershell.exe
2020	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
4544	powershell.exe
4544	powershell.exe
4540	powershell.exe
4540	powershell.exe
4544	powershell.exe
4540	powershell.exe
4976	powershell.exe
4976	powershell.exe
2672	powershell.exe
4976	powershell.exe
2672	powershell.exe
2672	powershell.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
4548	svchost.exe
4548	svchost.exe
552	SecurityHealthSystray.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	svchost.exe
Token: SeDebugPrivilege	552	SecurityHealthSystray.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	352	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2020	powershell.exe
Token: SeSecurityPrivilege	2020	powershell.exe
Token: SeTakeOwnershipPrivilege	2020	powershell.exe
Token: SeLoadDriverPrivilege	2020	powershell.exe
Token: SeSystemProfilePrivilege	2020	powershell.exe
Token: SeSystemtimePrivilege	2020	powershell.exe
Token: SeProfSingleProcessPrivilege	2020	powershell.exe
Token: SeIncBasePriorityPrivilege	2020	powershell.exe
Token: SeCreatePagefilePrivilege	2020	powershell.exe
Token: SeBackupPrivilege	2020	powershell.exe
Token: SeRestorePrivilege	2020	powershell.exe
Token: SeShutdownPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeSystemEnvironmentPrivilege	2020	powershell.exe
Token: SeRemoteShutdownPrivilege	2020	powershell.exe
Token: SeUndockPrivilege	2020	powershell.exe
Token: SeManageVolumePrivilege	2020	powershell.exe
Token: 33	2020	powershell.exe
Token: 34	2020	powershell.exe
Token: 35	2020	powershell.exe
Token: 36	2020	powershell.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeIncreaseQuotaPrivilege	5092	powershell.exe
Token: SeSecurityPrivilege	5092	powershell.exe
Token: SeTakeOwnershipPrivilege	5092	powershell.exe
Token: SeLoadDriverPrivilege	5092	powershell.exe
Token: SeSystemProfilePrivilege	5092	powershell.exe
Token: SeSystemtimePrivilege	5092	powershell.exe
Token: SeProfSingleProcessPrivilege	5092	powershell.exe
Token: SeIncBasePriorityPrivilege	5092	powershell.exe
Token: SeCreatePagefilePrivilege	5092	powershell.exe
Token: SeBackupPrivilege	5092	powershell.exe
Token: SeRestorePrivilege	5092	powershell.exe
Token: SeShutdownPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeSystemEnvironmentPrivilege	5092	powershell.exe
Token: SeRemoteShutdownPrivilege	5092	powershell.exe
Token: SeUndockPrivilege	5092	powershell.exe
Token: SeManageVolumePrivilege	5092	powershell.exe
Token: 33	5092	powershell.exe
Token: 34	5092	powershell.exe
Token: 35	5092	powershell.exe
Token: 36	5092	powershell.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2468	EXCEL.EXE
2468	EXCEL.EXE
2468	EXCEL.EXE
2468	EXCEL.EXE
4548	svchost.exe
552	SecurityHealthSystray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2548	1564	UNBANSEVER.exe	81
PID 1564 wrote to memory of 2548	1564	UNBANSEVER.exe	81
PID 1564 wrote to memory of 2548	1564	UNBANSEVER.exe	81
PID 1564 wrote to memory of 4548	1564	UNBANSEVER.exe	82
PID 1564 wrote to memory of 4548	1564	UNBANSEVER.exe	82
PID 2548 wrote to memory of 4712	2548	UNBANSEVER.exe	83
PID 2548 wrote to memory of 4712	2548	UNBANSEVER.exe	83
PID 2548 wrote to memory of 3772	2548	UNBANSEVER.exe	84
PID 2548 wrote to memory of 3772	2548	UNBANSEVER.exe	84
PID 2548 wrote to memory of 3772	2548	UNBANSEVER.exe	84
PID 4712 wrote to memory of 3180	4712	._cache_UNBANSEVER.exe	85
PID 4712 wrote to memory of 3180	4712	._cache_UNBANSEVER.exe	85
PID 4712 wrote to memory of 552	4712	._cache_UNBANSEVER.exe	87
PID 4712 wrote to memory of 552	4712	._cache_UNBANSEVER.exe	87
PID 3180 wrote to memory of 1996	3180	UNBANSEVER.exe	90
PID 3180 wrote to memory of 1996	3180	UNBANSEVER.exe	90
PID 1996 wrote to memory of 4476	1996	cmd.exe	91
PID 1996 wrote to memory of 4476	1996	cmd.exe	91
PID 3180 wrote to memory of 524	3180	UNBANSEVER.exe	94
PID 3180 wrote to memory of 524	3180	UNBANSEVER.exe	94
PID 524 wrote to memory of 3680	524	cmd.exe	95
PID 524 wrote to memory of 3680	524	cmd.exe	95
PID 3180 wrote to memory of 4500	3180	UNBANSEVER.exe	132
PID 3180 wrote to memory of 4500	3180	UNBANSEVER.exe	132
PID 4500 wrote to memory of 1016	4500	cmd.exe	98
PID 4500 wrote to memory of 1016	4500	cmd.exe	98
PID 3180 wrote to memory of 2964	3180	UNBANSEVER.exe	100
PID 3180 wrote to memory of 2964	3180	UNBANSEVER.exe	100
PID 2964 wrote to memory of 2876	2964	cmd.exe	101
PID 2964 wrote to memory of 2876	2964	cmd.exe	101
PID 3180 wrote to memory of 2920	3180	UNBANSEVER.exe	102
PID 3180 wrote to memory of 2920	3180	UNBANSEVER.exe	102
PID 2920 wrote to memory of 5036	2920	cmd.exe	181
PID 2920 wrote to memory of 5036	2920	cmd.exe	181
PID 3180 wrote to memory of 1928	3180	UNBANSEVER.exe	104
PID 3180 wrote to memory of 1928	3180	UNBANSEVER.exe	104
PID 1928 wrote to memory of 2960	1928	cmd.exe	105
PID 1928 wrote to memory of 2960	1928	cmd.exe	105
PID 4548 wrote to memory of 2020	4548	svchost.exe	107
PID 4548 wrote to memory of 2020	4548	svchost.exe	107
PID 3180 wrote to memory of 464	3180	UNBANSEVER.exe	158
PID 3180 wrote to memory of 464	3180	UNBANSEVER.exe	158
PID 464 wrote to memory of 352	464	cmd.exe	110
PID 464 wrote to memory of 352	464	cmd.exe	110
PID 3180 wrote to memory of 4880	3180	UNBANSEVER.exe	111
PID 3180 wrote to memory of 4880	3180	UNBANSEVER.exe	111
PID 4880 wrote to memory of 4632	4880	cmd.exe	112
PID 4880 wrote to memory of 4632	4880	cmd.exe	112
PID 3180 wrote to memory of 2504	3180	UNBANSEVER.exe	113
PID 3180 wrote to memory of 2504	3180	UNBANSEVER.exe	113
PID 2504 wrote to memory of 3788	2504	cmd.exe	144
PID 2504 wrote to memory of 3788	2504	cmd.exe	144
PID 3180 wrote to memory of 4348	3180	UNBANSEVER.exe	115
PID 3180 wrote to memory of 4348	3180	UNBANSEVER.exe	115
PID 4348 wrote to memory of 1988	4348	cmd.exe	177
PID 4348 wrote to memory of 1988	4348	cmd.exe	177
PID 3180 wrote to memory of 1104	3180	UNBANSEVER.exe	119
PID 3180 wrote to memory of 1104	3180	UNBANSEVER.exe	119
PID 1104 wrote to memory of 460	1104	cmd.exe	120
PID 1104 wrote to memory of 460	1104	cmd.exe	120
PID 3180 wrote to memory of 1800	3180	UNBANSEVER.exe	121
PID 3180 wrote to memory of 1800	3180	UNBANSEVER.exe	121
PID 1800 wrote to memory of 4980	1800	cmd.exe	122
PID 1800 wrote to memory of 4980	1800	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe
"C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe
  "C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\._cache_UNBANSEVER.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_UNBANSEVER.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\ProgramData\UNBANSEVER.exe
      "C:\ProgramData\UNBANSEVER.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im RiotClienServices.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im RiotClienServices.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im vgtray.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vgtray.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im HTTPDebuggerUI.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im KsDumperClient.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im KsDumper.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im HTTPDebuggerUI.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im HTTPDebuggerSvc.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im ProcessHacker.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im idaq.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im idaq64.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Wireshark.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
        5⤵
        
        PID:4372
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Fiddler.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
        5⤵
        
        PID:4976
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FiddlerEverywhere.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
        5⤵
        
        PID:5008
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Xenos64.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
        5⤵
        
        PID:3596
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Xenos.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
        5⤵
        
        PID:5084
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Xenos32.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
        5⤵
        
        PID:2492
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im de4dot.exe
        6⤵
        Kills process with taskkill
        
        PID:2716
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
        5⤵
        
        PID:4036
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Cheat Engine.exe
        6⤵
        Kills process with taskkill
        
        PID:3936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
        5⤵
        
        PID:4680
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cheatengine-x86_64.exe
        6⤵
        Kills process with taskkill
        
        PID:2004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
        5⤵
        
        PID:5000
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
        6⤵
        Kills process with taskkill
        
        PID:3944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
        5⤵
        
        PID:4372
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
        6⤵
        Kills process with taskkill
        
        PID:1916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
        5⤵
        
        PID:4524
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MugenJinFuu-i386.exe
        6⤵
        Kills process with taskkill
        
        PID:1472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
        5⤵
        
        PID:4272
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cheatengine-x86_64.exe
        6⤵
        Kills process with taskkill
        
        PID:464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
        5⤵
        
        PID:3640
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cheatengine-i386.exe
        6⤵
        Kills process with taskkill
        
        PID:4944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
        5⤵
        
        PID:544
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
        6⤵
        Kills process with taskkill
        
        PID:3132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
        5⤵
        
        PID:3200
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im KsDumper.exe
        6⤵
        Kills process with taskkill
        
        PID:3140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
        5⤵
        
        PID:2104
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im OllyDbg.exe
        6⤵
        Kills process with taskkill
        
        PID:1972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
        5⤵
        
        PID:4376
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im x64dbg.exe
        6⤵
        Kills process with taskkill
        
        PID:3624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
        5⤵
        
        PID:928
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im x32dbg.exe
        6⤵
        Kills process with taskkill
        
        PID:5096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
        5⤵
        
        PID:4700
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im HTTPDebuggerUI.exe
        6⤵
        Kills process with taskkill
        
        PID:1988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
        5⤵
        
        PID:2812
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im HTTPDebuggerSvc.exe
        6⤵
        Kills process with taskkill
        
        PID:3080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
        5⤵
        
        PID:3252
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Ida64.exe
        6⤵
        Kills process with taskkill
        
        PID:5036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
        5⤵
        
        PID:4520
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im OllyDbg.exe
        6⤵
        Kills process with taskkill
        
        PID:2896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
        5⤵
        
        PID:4456
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Dbg64.exe
        6⤵
        Kills process with taskkill
        
        PID:3960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
        5⤵
        
        PID:2820
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Dbg32.exe
        6⤵
        Kills process with taskkill
        
        PID:2192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3812
  - - C:\ProgramData\SecurityHealthSystray.exe
      "C:\ProgramData\SecurityHealthSystray.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4540
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Registry'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Registry'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Registry" /tr "C:\ProgramData\Registry"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3772
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4536
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:1528
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:1972

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3132

C:\ProgramData\Registry
"C:\ProgramData\Registry"
1⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
1⤵
- Executes dropped EXE
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery