asyncrat | 6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x00070000000471b7-3731.dat	family_asyncrat

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	$77-Bitdefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	$77-Bitdefender.exe
Key created	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RegisteredApplications = "C:\\Users\\Admin\\AppData\\Roaming\\264415.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ApiUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	ApiUpdater.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3752	powershell.exe
6036	powershell.exe
4704	powershell.exe
3608	powershell.exe
4812	powershell.exe
4276	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 23 IoCs

flow	pid	Process
627	236	New Text Document.exe
660	236	New Text Document.exe
664	236	New Text Document.exe
668	236	New Text Document.exe
441	236	New Text Document.exe
441	236	New Text Document.exe
629	236	New Text Document.exe
635	236	New Text Document.exe
638	236	New Text Document.exe
638	236	New Text Document.exe
638	236	New Text Document.exe
512	236	New Text Document.exe
642	236	New Text Document.exe
437	236	New Text Document.exe
640	236	New Text Document.exe
452	236	New Text Document.exe
447	236	New Text Document.exe
487	236	New Text Document.exe
630	236	New Text Document.exe
645	236	New Text Document.exe
667	236	New Text Document.exe
662	236	New Text Document.exe
662	236	New Text Document.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5544	netsh.exe
5456	netsh.exe
5952	netsh.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	vapo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	ApiUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	windows.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk	e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk	e.exe

Executes dropped EXE 64 IoCs

pid	Process
5584	updater.exe
3296	Discord.exe
540	update.exe
4168	noyjhoadw.exe
2244	powerstealer.exe
3476	build.exe
5916	fag3.exe
3364	fag.exe
5708	Server.exe
2672	server.exe
3020	StUpdate.exe
5556	e.exe
5448	payload.exe
4468	abc.exe
1764	StUpdate.exe
1616	StUpdate.exe
3032	StUpdate.exe
1608	StUpdate.exe
1636	done.exe
5364	sampcac-loader.exe
6104	Loader.exe
3756	15.exe
5240	traf.exe
4296	sel1.exe
1368	vapo.exe
4772	amada2.exe
1864	gdsun.exe
4040	1.exe
5808	Update.exe
5192	test.exe
5324	BQEHIQAG.exe
4660	BQEHIQAG.exe
3032	DBDownloader.exe
2184	DBDownloader.exe
1764	rh_0-8_2025-01-23_15-05.exe
5176	ApiUpdater.exe
5432	windows.exe
3828	T.exe
396	Enalib.exe
4080	$77-Bitdefender.exe
5820	36.exe
3656	access.exe
5652	StUpdate.exe
3664	vapo.exe
5292	system.exe
3448	Surrey.com
5284	StUpdate.exe
636	vapo.exe
5728	StUpdate.exe
1932	vapo.exe
3616	StUpdate.exe
2392	vapo.exe
4724	StUpdate.exe
2184	vapo.exe
1808	StUpdate.exe
3784	vapo.exe
440	StUpdate.exe
1780	vapo.exe
4812	StUpdate.exe
904	vapo.exe
4408	StUpdate.exe
5688	vapo.exe
4588	StUpdate.exe
4476	vapo.exe

Loads dropped DLL 20 IoCs

pid	Process
4660	BQEHIQAG.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
3032	DBDownloader.exe
2184	DBDownloader.exe
2184	DBDownloader.exe
2184	DBDownloader.exe
2184	DBDownloader.exe
2184	DBDownloader.exe
2184	DBDownloader.exe
2184	DBDownloader.exe
2184	DBDownloader.exe
2184	DBDownloader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Update(32bit) = "C:\\ProgramData\\Java Update(32bit).exe"	e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	ApiUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	ApiUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	$77-Bitdefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	$77-Bitdefender.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
1973	pastebin.com
3130	pastebin.com
3173	pastebin.com
3343	pastebin.com
3492	pastebin.com
3744	pastebin.com
1522	pastebin.com
921	pastebin.com
1678	pastebin.com
1933	pastebin.com
2191	pastebin.com
2561	pastebin.com
2937	pastebin.com
3546	pastebin.com
679	pastebin.com
898	pastebin.com
1242	pastebin.com
1734	pastebin.com
3560	pastebin.com
3732	pastebin.com
718	pastebin.com
2454	pastebin.com
3533	pastebin.com
1636	pastebin.com
1273	pastebin.com
1292	pastebin.com
1877	pastebin.com
2170	pastebin.com
2176	pastebin.com
2204	pastebin.com
892	pastebin.com
1655	pastebin.com
1760	pastebin.com
1923	pastebin.com
3381	pastebin.com
3749	pastebin.com
1200	pastebin.com
2157	pastebin.com
3028	pastebin.com
3142	pastebin.com
3183	pastebin.com
3581	pastebin.com
919	pastebin.com
2060	pastebin.com
2544	pastebin.com
3456	pastebin.com
873	pastebin.com
1336	pastebin.com
1513	pastebin.com
2446	pastebin.com
3060	pastebin.com
3465	pastebin.com
840	pastebin.com
1167	pastebin.com
1210	pastebin.com
1547	pastebin.com
1855	pastebin.com
2310	pastebin.com
2752	pastebin.com
2940	pastebin.com
714	pastebin.com
3175	pastebin.com
3193	pastebin.com
3633	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
520	ip-api.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	sel1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	traf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	traf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	sel1.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	update.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3404	tasklist.exe
3004	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4080 set thread context of 5648	4080	$77-Bitdefender.exe	284
PID 2184 set thread context of 4908	2184	DBDownloader.exe	265

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b474566b-d079-4917-a7af-a5678dd82db6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250127223910.pma	setup.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\ImmediatelyBros	1.exe
File opened for modification	C:\Windows\TransferRare	1.exe
File opened for modification	C:\Windows\EscortsNascar	1.exe
File opened for modification	C:\Windows\NavyPromising	1.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\HonoluluSyndrome	1.exe
File opened for modification	C:\Windows\OxfordPrintable	1.exe
File opened for modification	C:\Windows\ViBases	1.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	\??\c:\programdata\1be588a5b7\gdsun.exe:Zone.Identifier	amada2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4636	3756	WerFault.exe	236
3664	3716	WerFault.exe	257
2224	1764	WerFault.exe	264
5676	5820	WerFault.exe	287
2800	1748	WerFault.exe	271

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enalib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	access.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sampcac-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noyjhoadw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amada2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BQEHIQAG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rh_0-8_2025-01-23_15-05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sel1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdsun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3220	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133824910471992626"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1576956541-1869783662-2981982442-1000\{B36C6243-47E3-4761-A8A6-404E286D788C}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000_Classes\Local Settings	ApiUpdater.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
4584	reg.exe
3792	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	\??\c:\programdata\1be588a5b7\gdsun.exe:Zone.Identifier	amada2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4644	schtasks.exe
628	schtasks.exe
5900	schtasks.exe
1556	schtasks.exe
5972	schtasks.exe
3032	schtasks.exe
1276	schtasks.exe
5296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
1608	msedge.exe
1608	msedge.exe
6044	msedge.exe
6044	msedge.exe
4428	identity_helper.exe
4428	identity_helper.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe
2672	server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2672	server.exe
5556	e.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4296	sel1.exe
4296	sel1.exe
5240	traf.exe
5240	traf.exe
4080	$77-Bitdefender.exe
2184	DBDownloader.exe
4908	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
6044	msedge.exe
6044	msedge.exe
5916	fag3.exe
3448	Surrey.com
3448	Surrey.com
3448	Surrey.com

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
5916	fag3.exe
3448	Surrey.com
3448	Surrey.com
3448	Surrey.com

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
540	update.exe
2244	powerstealer.exe
5556	e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2100	2340	chrome.exe	92
PID 2340 wrote to memory of 2100	2340	chrome.exe	92
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 3644	2340	chrome.exe	93
PID 2340 wrote to memory of 2152	2340	chrome.exe	94
PID 2340 wrote to memory of 2152	2340	chrome.exe	94
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95
PID 2340 wrote to memory of 1864	2340	chrome.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2600
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe.zip"
1⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffe04eccc40,0x7ffe04eccc4c,0x7ffe04eccc58
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:3996
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff7c08f4698,0x7ff7c08f46a4,0x7ff7c08f46b0
    3⤵
    - Drops file in Windows directory
    PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4460,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4716,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3448,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3436,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3184 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3328,i,16397616999320385232,17878501102815736509,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3292 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4036
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1868 -prefsLen 26929 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4db4c812-ec67-4520-8555-dbdcb6ce83cc} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" gpu
    3⤵
    PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 26807 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4060c01-b685-4738-8623-50628637eb58} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" socket
    3⤵
    - Checks processor information in registry
    PID:2520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2928 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82df18bd-b943-45f2-a57b-9bc365935a94} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4192 -childID 2 -isForBrowser -prefsHandle 4184 -prefMapHandle 4180 -prefsLen 32181 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bfeaed9-69e2-4267-83a0-ee4c19a48fc9} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
    3⤵
    PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 32181 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {535660d2-1700-425f-a34c-0c6d6731b8f5} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" utility
    3⤵
    - Checks processor information in registry
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 4916 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba2ed26d-e54a-4625-ba62-19b5ce148ec7} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
    3⤵
    PID:5920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a952322-677e-4ce4-a73d-36122661e980} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
    3⤵
    PID:5948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23e21ee5-1905-44b1-baea-249637d0ce9b} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
    3⤵
    PID:5960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6312 -childID 6 -isForBrowser -prefsHandle 6176 -prefMapHandle 6252 -prefsLen 27307 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99eaec29-53e5-4da5-a220-d7b17db6ddf9} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
    3⤵
    PID:2576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1396 -childID 7 -isForBrowser -prefsHandle 6324 -prefMapHandle 3824 -prefsLen 27307 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37296f14-ebce-4088-aa3a-8a1407a5231b} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
    3⤵
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 8 -isForBrowser -prefsHandle 5176 -prefMapHandle 5172 -prefsLen 28117 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acc1810d-9f5b-4ac5-b9c4-b1b67b2a826f} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
    3⤵
    PID:5720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -parentBuildID 20240401114208 -prefsHandle 5632 -prefMapHandle 5916 -prefsLen 33803 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b42ad47-2536-4237-9cf0-33a547e450ae} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" rdd
    3⤵
    PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7084 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 5420 -prefMapHandle 4680 -prefsLen 33803 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b02412-98c7-4409-a457-a3027f0a8525} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" utility
    3⤵
    - Checks processor information in registry
    PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffe040346f8,0x7ffe04034708,0x7ffe04034718
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff7e4745460,0x7ff7e4745470,0x7ff7e4745480
    3⤵
    PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,18391864513340417987,317079921170427835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:5664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5256

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
- Downloads MZ/PE file
PID:236
- C:\Users\Admin\Desktop\a\updater.exe
  "C:\Users\Admin\Desktop\a\updater.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5584
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5972
- - C:\Windows\system32\update.exe
    "C:\Windows\system32\update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:540
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1276
- C:\Users\Admin\Desktop\a\Discord.exe
  "C:\Users\Admin\Desktop\a\Discord.exe"
  2⤵
  - Executes dropped EXE
  PID:3296
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3032
- - C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2244
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5296
- C:\Users\Admin\Desktop\a\noyjhoadw.exe
  "C:\Users\Admin\Desktop\a\noyjhoadw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4168
- C:\Users\Admin\Desktop\a\build.exe
  "C:\Users\Admin\Desktop\a\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3476
- C:\Users\Admin\Desktop\a\fag3.exe
  "C:\Users\Admin\Desktop\a\fag3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5916
- C:\Users\Admin\Desktop\a\fag.exe
  "C:\Users\Admin\Desktop\a\fag.exe"
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Users\Admin\Desktop\a\Server.exe
  "C:\Users\Admin\Desktop\a\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2672
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5952
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5544
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5456
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4644
- C:\Users\Admin\Desktop\a\e.exe
  "C:\Users\Admin\Desktop\a\e.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\a\e.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'e.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3608
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:628
- C:\Users\Admin\Desktop\a\payload.exe
  "C:\Users\Admin\Desktop\a\payload.exe"
  2⤵
  - Executes dropped EXE
  PID:5448
- C:\Users\Admin\Desktop\a\abc.exe
  "C:\Users\Admin\Desktop\a\abc.exe"
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Users\Admin\Desktop\a\done.exe
  "C:\Users\Admin\Desktop\a\done.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath "C:\gamnwzgybv"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:4276
- C:\Users\Admin\Desktop\a\sampcac-loader.exe
  "C:\Users\Admin\Desktop\a\sampcac-loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5364
- C:\Users\Admin\Desktop\a\Loader.exe
  "C:\Users\Admin\Desktop\a\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:6104
- C:\Users\Admin\Desktop\a\15.exe
  "C:\Users\Admin\Desktop\a\15.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 396
    3⤵
    - Program crash
    PID:4636
- C:\Users\Admin\Desktop\a\traf.exe
  "C:\Users\Admin\Desktop\a\traf.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: MapViewOfSection
  PID:5240
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1440
      4⤵
      Program crash
      PID:2800
- C:\Users\Admin\Desktop\a\sel1.exe
  "C:\Users\Admin\Desktop\a\sel1.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:4296
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Adds policy Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 892
      4⤵
      Program crash
      PID:3664
- C:\Users\Admin\Desktop\a\vapo.exe
  "C:\Users\Admin\Desktop\a\vapo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1368
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\Admin\AppData\Roaming\vapo.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5900
- C:\Users\Admin\Desktop\a\amada2.exe
  "C:\Users\Admin\Desktop\a\amada2.exe"
  2⤵
  - Executes dropped EXE
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4772
- - \??\c:\programdata\1be588a5b7\gdsun.exe
    c:\programdata\1be588a5b7\gdsun.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1864
  - - C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7
      4⤵
      PID:1424
- C:\Users\Admin\Desktop\a\1.exe
  "C:\Users\Admin\Desktop\a\1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4608
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3404
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4556
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 634977
      4⤵
      System Location Discovery: System Language Discovery
      PID:4792
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Gtk
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "Constitution" Wagon
      4⤵
      System Location Discovery: System Language Discovery
      PID:3688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 634977\Surrey.com + Firewire + Values + Expanding + Representing + Gothic + Voltage + Refinance + Nec + Kate 634977\Surrey.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Courage + ..\Remove + ..\Throws + ..\Competing Q
      4⤵
      System Location Discovery: System Language Discovery
      PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com
      Surrey.com Q
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3448
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:1556
- C:\Users\Admin\Desktop\a\Update.exe
  "C:\Users\Admin\Desktop\a\Update.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5808
- C:\Users\Admin\Desktop\a\test.exe
  "C:\Users\Admin\Desktop\a\test.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5192
- C:\Users\Admin\Desktop\a\BQEHIQAG.exe
  "C:\Users\Admin\Desktop\a\BQEHIQAG.exe"
  2⤵
  - Executes dropped EXE
  PID:5324
- - C:\Windows\Temp\{07FFC4C3-B82C-4823-9358-4AF768913A0B}\.cr\BQEHIQAG.exe
    "C:\Windows\Temp\{07FFC4C3-B82C-4823-9358-4AF768913A0B}\.cr\BQEHIQAG.exe" -burn.clean.room="C:\Users\Admin\Desktop\a\BQEHIQAG.exe" -burn.filehandle.attached=572 -burn.filehandle.self=576
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4660
  - - C:\Windows\Temp\{F03757D8-DC03-494F-B2DA-1AC5CBEEA057}\.ba\DBDownloader.exe
      C:\Windows\Temp\{F03757D8-DC03-494F-B2DA-1AC5CBEEA057}\.ba\DBDownloader.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3032
    - - C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe
        
        C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4908
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        
        PID:3220
- C:\Users\Admin\Desktop\a\rh_0-8_2025-01-23_15-05.exe
  "C:\Users\Admin\Desktop\a\rh_0-8_2025-01-23_15-05.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 416
    3⤵
    - Program crash
    PID:2224
- C:\Users\Admin\Desktop\a\ApiUpdater.exe
  "C:\Users\Admin\Desktop\a\ApiUpdater.exe"
  2⤵
  - Adds policy Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  PID:5176
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3864
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3792
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:3116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4188
    - - C:\ProgramData\Bitdefender\$77-Bitdefender.exe
        
        C:\ProgramData\Bitdefender\$77-Bitdefender.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4080
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4584
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        
        PID:5648
- C:\Users\Admin\Desktop\a\windows.exe
  "C:\Users\Admin\Desktop\a\windows.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5384
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp77F3.tmp.bat""
    3⤵
    PID:5028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3220
  - - C:\Users\Admin\AppData\Roaming\system.exe
      "C:\Users\Admin\AppData\Roaming\system.exe"
      4⤵
      Executes dropped EXE
      PID:5292
- C:\Users\Admin\Desktop\a\T.exe
  "C:\Users\Admin\Desktop\a\T.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\Desktop\a\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5388
- C:\Users\Admin\Desktop\a\Enalib.exe
  "C:\Users\Admin\Desktop\a\Enalib.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\Desktop\a\Enalib.exe' 'C:\ProgramData\1be588a5b7\Enalib.exe' -Force
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6116
- C:\Users\Admin\Desktop\a\36.exe
  "C:\Users\Admin\Desktop\a\36.exe"
  2⤵
  - Executes dropped EXE
  PID:5820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 396
    3⤵
    - Program crash
    PID:5676
- C:\Users\Admin\Desktop\a\access.exe
  "C:\Users\Admin\Desktop\a\access.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3656

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1764

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3756 -ip 3756
1⤵
PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 232 -p 3716 -ip 3716
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1764 -ip 1764
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5820 -ip 5820
1⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5652

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1748 -ip 1748
1⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5284

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
PID:5728

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
PID:1808

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:3784

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
PID:440

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:904

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:5688

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4588

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:436

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
PID:872

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
PID:2000

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
PID:3404

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
PID:4968

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2328

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3824

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1340

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4928

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:784

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5380

C:\Users\Admin\AppData\Roaming\vapo.exe
"C:\Users\Admin\AppData\Roaming\vapo.exe"
1⤵
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery